Arctic Wolf has identified a social engineering campaign targeting health care providers in the United States. Throughout multiple incidents, hospital help desks have received suspicious phone calls from unidentified individuals claiming to be doctors who had forgotten their password. When the callers were confronted with a request to verify their identities, including first name and department affiliation, the suspicious callers disconnected.
This behavior is consistent with early-stage social engineering or vishing tactics often used to gain unauthorized access to privileged accounts. In past reports, ransomware threat actors affiliated with groups such as Scattered Spider were observed using similar tactics to gain initial access to targeted organizations in the healthcare sector.
Recommendations
Promote Security Best Practices with IT Staff
The following steps can limit the effectiveness of social engineering attempts that target IT staff.
- IT staff should never reset passwords during an inbound call. Instead, advise IT staff to call users back using the contact details on record.
- Limit those that can perform temporary password resets to senior personnel.
- Advise help desk employees to never read back the number on record or other personally identifiable information over the phone.
- If users request changes be made to personal contact information on file, ensure it goes through a standard, repeatable process with rigorous identity verification.
Resources
