Security Checklist: DDoS, Spear Phishing and Baxter Devices

By Jane Anderson

The HHS Health Sector Cybersecurity Coordination Center (HC3) is warning health care organizations that bad actors currently are targeting them specifically in three ways: distributed-denial-of-service (DDoS) attacks, business email compromise through spear phishing and via two Baxter International Inc. tools commonly used in facilities.

The spate of warnings came on the heels of another HC3 bulletin in April warning that hackers were employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations.[1] Together, the warnings indicate a threat atmosphere for the health care sector that shows no signs of abating.

BEC Growing Threat

Spear phishing involves targeting a specific individual in an organization to steal their login credentials. According to HC3’s warning on business email compromise (BEC), spear phishing is a “next level” technique in which the attacker often gathers information about the person, such as their name, position and contact details, before starting the attack.[2]

BEC is a spear phishing attack that utilizes social engineering, HC3 said. “It is one of the most damaging and expensive types of phishing attacks in existence, costing businesses billions of dollars each year,” the agency said.

“At a basic level, BEC is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company info. The cybercriminal spoofs a person or organization the target knows, like a supplier, and asks for a fake invoice to be paid, sensitive company information, or other data they can profit from,” HC3 said.

Instead of relying solely on technical vulnerabilities, the attacks “exploit the human tendency to trust authority, act impulsively, and respond emotionally to urgent requests,” the agency said in its BEC briefing document.

Between October 2013 and December 2022, the FBI reported 277,918 BEC incidents domestically and internationally, with a total loss to businesses of more than $50 billion. In the U.S. during the same time period, the FBI reported 137,601 total victims and a total U.S.-based dollar loss of more than $17 billion.

Types of BEC scams include attorney impersonation, CEO fraud, data theft, account compromise and false invoice, and attackers often use more than one method as part of their attacks, HC3 said. For example, an attacker might pose as a lawyer or legal team member and pressure or manipulate the employee into sending data or requesting a wire transfer, the agency said.

“Since the request is typically framed as urgent, confidential or both, it typically takes advantage of the fact that low-level employees within an organization are likely to comply with requests from a lawyer or legal representative, because they do not know how to validate the request and simply comply to avoid negative consequences,” HC3 said.

Similarly, attackers often pose as someone with executive authority and target a member of the finance team, claiming to need urgent support on a time-sensitive or confidential matter that may not be verifiable with anyone else, potentially goading an employee into transferring funds or exposing data to the attacker, HC3 said.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings