Government Issues Alert of Schemes Against IT Help Desks

The US Health Department recently issued a warning regarding financially-motivated social engineering attacks targeting healthcare organizations. Threat actors, presumed to be foreign-based, are calling IT help desks from local area codes and convincing staff to enroll a new device in multi-factor authentication (MFA).

Threat actors often claim that their phones are broken, so they can’t log in or receive MFA tokens. The charade seems real because the threat actors provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number and corporate ID number, along with other demographic details. It is likely these details are acquired from professional networking sites and other publicly available information sources, such as previous data breaches.

Threat Actors Fool IT Help Desks to Access and Divert Funds

Next, threat actors reportedly use the compromised employee’s email account to change payment instructions with payment processors, divert legitimate payments to fraudulent U.S. bank accounts, or deliver malware into the network. Much like other payment diversion tactics, it is suspected that the funds will eventually be transferred overseas.

AHA Says Attacks on IT Help Desks is Ongoing

“We first alerted the field to this scheme this past January,” said John Riggi, the American Hospital Association’s (AHA) national advisor for cybersecurity and risk. “Unfortunately, this scheme is currently continuing with active targeting of IT help desks, warranting rebroadcast of this alert.”

“The risk posed by this innovative and sophisticated scheme can be mitigated by ensuring strict IT help desk security protocols,” Riggi said.

Steps to Mitigate Attacks on Healthcare IT Help Desks:

1. Require callbacks to the phone number on record for the employee requesting a password reset and enrollment of a new device. It is important to note that when attempting callbacks for verification, the threat actor may claim to be too busy to take a phone call.
2. Monitor for any suspicious ACH changes and revalidate all users with access to payer websites.
3. Implement policies that require the supervisor of the employee to be contacted to verify these requests.
4. Train users to identify and report social engineering techniques and spearphishing attempts while also being suspicious of and verifying callers’ identities.
5. Organizations using Entra ID (formerly Microsoft Azure Active Directory) are advised to prevent MFA abuse by enforcing the use of Microsoft Authenticator with number matching, removing SMS as the second verification factor, creating conditional access policies, and blocking external access to Microsoft Azure and Microsoft 365 administration features.

Read more about using MFA to protect organizational reputation in this blog article.

If you need customized assessments to mitigate social engineering attacks or privacy risk assessments, PrivaPlan offers reliable and trusted services to help you meet your organizational needs. Contact us today to learn more!