Social engineering helping hackers break past providers’ defenses

In the past year, less than 1 percent of cyberattacks exploited a hardware or software vulnerability to get through a healthcare provider’s defenses and compromise data.

That means the vast majority of attacks required some form of human intervention, such as an email link clicked or an attachment opened, says Chris Dawson, threat intelligence lead at data security firm Proofpoint Research.

A health organization can take all the right steps to better secure itself against cybercriminals, but some level of malware will get in because the human factor will generally limit defenses.

“The traditional view has been that hackers are attacking information systems, but they really are going after people,” Dawson notes.

Dawson-Christopher1-CROP.jpg

It does not help that hackers have gotten really good at masking their malware-laden emails look legitimate, and they no longer have to rely on providers clicking on the wrong emails because staff in corporate sales, other departments and even authors are also easy targets.

A provider organization may have multiple types of email accounts often shared within a department or other departments, and it’s not hard for a hacker to find an account that ends in hr.com, which then opens up considerably more departments and accounts to target.

“Shared aliases are tough to secure as they are very public,” Dawson says. “Consequently, legacy shared accounts are an easy target for brute force attacks.”

Attackers also may target those who don’t expect to be victimized. For example, “Very Attacked People” (VAPs) represent significant areas of risk, as they tend to be either easily discovered identities or targets of opportunity like shared public accounts.

These people can be found online via corporate web sites, social media and in publications, and they aren’t necessarily high-profile individuals, such as VIPs or C-level executives. But for the VIPs who also are VAPs, almost 23 percent of their email identities could be found simply with a Google search.

What attackers really want via social media is to obtain credentials to feed more attacks, and they are improving their social engineering techniques to obtain credentials.

Cross pollination is another way to get credentials, Dawson warns. These are skilled social media individuals that build rapport with others using legitimate-looking LinkedIn messages and a fake job, such as masquerading as the trusted chief medical officer, and after a while they install malware to identity additional targets.

Also in healthcare, social media can be used to target those responsible for supply chains, pharmaceuticals, and research with the intent of getting funds transferred to the hacker, or attack critical care medical devices to compel the payment of ransom.

For reprint and licensing requests for this article, click here.