Connect with us

Hi, what are you looking for?



Healthcare IT Help Desk Employees Targeted in Payment-Hijacking Attacks

The US Department of Health warns of financially motivated social engineering attacks targeting healthcare organizations.

Threat actors are targeting IT help desk employees at healthcare and public health (HPH) organizations to gain access to corporate networks and divert payments, the US Department of Health warns.

As part of such an attack, a threat actor was seen calling an IT help desk employee over the phone, from a local area code, posing as an employee in a financial role, and convincing them to enroll a new device in multi-factor authentication (MFA).

The attackers provided the employee with sensitive information, including their Social Security number, likely obtained from publicly available information or data breaches, and claimed that their phone was broken and could not receive MFA tokens, requesting the enrollment of a new device.

After gaining access to the target network, the threat actor looked for login information related to payer websites, and submitted a form to make ACH changes to payer accounts.

“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts. The funds were then transferred to overseas accounts,” the Health Department’s alert reads (PDF).

In September 2023, the department says, these social engineering tactics were used to target an organization in the hospitality and entertainment industry as part of a ransomware attack. The attack was claimed by Scattered Spider and led to the deployment of Alphv/BlackCat ransomware.

The recent campaign against healthcare entities, however, did not employ ransomware, albeit it used the same spear-phishing voice techniques and employee impersonation tactics.

Possible mitigations for such attacks include callbacks to the phone number on record for the employee requesting the enrollment of a new device and a password reset, monitoring for suspicious ACH changes, and requiring that these requests be verified by the supervisor of the employee.

Advertisement. Scroll to continue reading.

“Additionally, users can be trained to identify and report social engineering techniques and spear-phishing attempts, while also being suspicious of and verifying the identity of callers,” the department says.

Organizations using Entra ID (formerly Microsoft Azure Active Directory) are advised to prevent MFA abuse by enforcing the use of Microsoft Authenticator with number matching, removing SMS as the second verification factor, creating conditional access policies, and blocking external access to Microsoft Azure and Microsoft 365 administration features.

Related: US Offering $10 Million Reward for Information on Change Healthcare Hackers

Related: Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency

Related: US, UK, Australia Sanction Russian Man Over Ransomware Attack on Healthcare Insurer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.