HC3 Advisory About Growing Vishing Attacks and the Risks of Social Engineering

The Health Sector Cybersecurity Coordination Center has alerted the healthcare and public health (HPH) sector regarding the growing social engineering and voice phishing (vishing) attacks.

In cybersecurity terminology, social engineering is the control of people by malicious actors to advance their own agenda. It is a comprehensive term that includes many varied types of attacks, such as phishing, baiting, whaling, spear phishing, vishing, callback phishing, deepfake software, SMS phishing (smishing), and business email compromise (BEC).

Social engineering techniques are used in phishing attacks to fool staff members into revealing sensitive data like protected health information (PHI), sign-in credentials that enable the threat actor to get a footing in the system, or installing malware that gives remote access to gadgets and the systems to which they link. These attacks can be carried out in mass campaigns or could be remarkably targeted, by researching the victims and crafting lures for particular persons.

Phishing is probably the most well-known forms of social engineering attacks. Most cyberattacks on the healthcare sector use it as the first access vector. The 2021 HIMSS Healthcare Cybersecurity Survey indicates the use of phishing in 45% of healthcare security occurrences in the last 12 months, and then ransomware attacks. Ransomware threat actors frequently employ phishing to get preliminary access to healthcare systems, and many groups linked to the Conti ransomware operation are currently utilizing callback phishing as the primary methods to obtain the access they require to perform their attacks. The Ryuk ransomware gang first used callback phishing in the BazarCall campaigns, in which victims were fooled into having the BazarLoader malware installed to allow remote access to their systems. Ryuk later known as Conti, and three breakaway groups began utilizing these callback phishing methods once again in March 2021.

With callback phishing, the preliminary contact is done through email and social engineering fooling individuals into contacting the given phone number. The bait employed in these attacks is usually a caution regarding an upcoming invoice, membership expiry, or the conclusion of a free trial, with expenses incurred when no action is undertaken. Preliminary contact is done through email without including any hyperlink or email attachment. Only a telephone number is given. Email security options generally don’t flag these email messages as malicious and cannot see if a phone number is malicious or authentic.

As per cybersecurity company Agari, phishing went up by 6% from Q1 of 2022 to Q2 of 2022, while hybrid phishing attacks (which include callback phishing) went up by 625%. Based on the IBM Security X-Force staff, in Q4 of 2021, 42% of attacks involved phishing, higher by 30% than in the past quarter.

Vishing attacks are done only over the phone. A vishing attack in September 2020 saw threat actors impersonating a Michigan health system. They made phone calls to patients to steal their PHI and member numbers. They spoofed the caller ID to make it seem that the phone call was from the health system.

Phishing and other forms of social engineering attacks are a major source of healthcare data breaches. Healthcare companies are notably prone to these attacks, particularly bigger companies where employees are not likely to be familiar with all of their co-employees. These attacks exploit trust, and healthcare workers are normally trusting and love to help. People additionally like to appear smart and not need to seek assistance. They likewise don’t want to be in trouble and thus may not report if they become victims of a scam. Healthcare settings are likewise occupied with employees frequently pressured by time, leading to individuals cutting corners that can allow scammers.

Protecting against social engineering could be a problem because the attacks can happen through email, instant messaging services, SMS, social media sites, websites, and over the telephone. Hybrid phishing attacks are less likely to be identified by traditional cybersecurity tools. In order to defend against these attacks is to employ several levels of defenses, update guidelines and procedures to close security gaps, and give employees routine security awareness training.

HC3 recommends these measures to enhance defenses versus social engineering attacks:

Security awareness training is the answer to stopping hybrid phishing attacks, vishing, and smishing.

  • Routine security awareness training must be given – several times per year. Use modular CBT training courses to integrate training into the busy healthcare process.
  • Advise employees to acknowledge receipt of an email message from a recognized sender through a trusted communication channel or contact
  • Give employees the latest update on campaigns that target the sector, such as the most recent health-associated themes for instance COVID-19 and Monkeypox
  • Safeguard VoIP servers and identify proof of existing compromise (for example web shells for persistence)
  • Consider changing your company’s MFA setting to demand a one-time password (OTP) versus a push notification to ease MFA fatigue
  • Prohibit malicious domains as well as other indicators connected with campaigns
  • Perform phishing simulation activities on the employees, which include hybrid phishing simulations