HC3 Notes Uptick in Healthcare Vishing Attacks, Social Engineering

In the past year, the Health Sector Cybersecurity Coordination Center (HC3) has observed an uptick in vishing attacks, or "voice phishing," a recent analyst note revealed. Vishing attacks involve a threat actor attempting to execute a scam over the phone rather than through email.

“Social engineering techniques continue to remain successful in providing initial access to target organizations, and the HPH sector should remain alert to this evolving threat landscape with an emphasis on user awareness training,” HC3 explained.

Traditional phishing attacks using email or malicious websites are a major threat to the healthcare sector. The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) found that phishing was the most frequently reported cybercrime of 2021. IC3 received 323,972 phishing complaints in 2021, compared to 241,342 in 2020. Phishing also has a variety of subcategories, including spear phishing, smishing, whaling, and vishing.

HC3’s brief narrowed in on vishing attacks, and cited Agari data that highlighted a 625 percent growth in “hybrid vishing,” also known as “callback phishing.” Callback phishing attacks are multi-stage attacks that involve interacting with the victim via email first, and then transitioning to a phone call to complete the scam.

Callback phishing attacks became popular with the rise of BazarCall/BazaCall campaigns in March 2021, the analyst note explained.

In May 2022, a US-based telecommunications company experienced a series of vishing attacks executed by an initial access broker (IAB) with ties to Lapsus$, UNC2447, and Yanluowang. The threat actor gained access because an employee had enabled password syncing on Google Chrome and stored their work credentials in their browser.

“After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including vishing and MFA fatigue, which is the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving,” the note continued.

HC3 called attention to a variety of observed vishing campaigns in the healthcare sector, including a series of vishing attempts at Spectrum Health in 2020 in which patients received calls from individuals pretending to be from Spectrum Health or Priority Health. The threat actors attempted to extract personal information from the victims.

“HC3 assesses with high confidence that threat actors will continue to evolve their tactics, techniques, and procedures (TTPs) when conducting phishing attacks due to prior success in gaining initial access,” the analyst note explained.

“Security researchers recently found a way to use just a series of emojis to deliver an exploit to a target. While this method requires specific circumstances to occur for the emoji exploit to work, this demonstrates the constantly evolving threat landscape and difficulty in detecting malware.”

The first step to preventing any type of phishing attack is recognizing the telltale signs of one and educating employees. HC3 urged users to be wary of suspicious emails claiming that a free trial has ended when the recipient never signed up for one, or emails and phone calls where the caller claims to be from a government entity or major technology company.

User training is crucial in preventing phishing campaigns in healthcare. In addition, healthcare organizations should employ a series of technical safeguards by blocking malicious domains and looking for evidence of existing compromise within their systems.

HC3 also recommended that organizations stay up-to-date with the latest healthcare-themed scams and consider tackling MFA fatigue by requiring a one-time password rather than a push notification.