The FBI warns that cybercriminals are using spoofed emails and phone numbers to target plastic surgery offices across the United States for extortion in phishing attacks that spread malware.
After gaining access to their networks, the attackers steal data from compromised systems that they’ll use to extort surgeons and patients.
Documents stolen in these breaches can contain very sensitive data, including personally identifiable information, sensitive medical records, and, in some cases, even intimate photographs taken for medical purposes.
After obtaining this data, they add more information to the harvested ePHI using open-source information, such as social media details, to make their extortion attempts more convincing.
“Cybercriminals use open-source information, to include social media, and social engineering techniques to enhance the harvested ePHI data of plastic surgery patients,” the FBI said.
“Cybercriminals use the enhanced data as leverage for extortion in Phase 3 and may use it for other fraud schemes.”
Then, they reach out to plastic surgeons and patients through social media, emails, text messages, or messaging apps, threatening to share the sensitive ePHI unless an extortion payment in cryptocurrency is made.
To apply even more pressure on the victims, the cybercriminals might also share this sensitive data with the victims’ friends, family, or colleagues, as well as create public-facing websites displaying the information.
The attackers will also promise victims that they’ll stop sharing the electronic protected health information (ePHI) upon receipt of the extortion payment.
How to protect yourself from such extortion attempts
The FBI says that surgeons and patients at risk of being targeted can take some proactive steps to protect their personal information.
They should start by ensuring that their social media profiles are configured to provide the maximum amount of privacy to prevent people not in their friends list from monitoring their online activity without authorization.
“Preferably, make your account private and limit what can be posted by others on your profile,” the federal law enforcement agency said.
“Audit friend lists to ensure they consist of and are visible to people you know. Only accept friend requests and follows from people you know. Enable two-factor authentication to login.”
The FBI also recommended creating strong and complex passwords for all accounts, including email, social media, financial, and bill payment platforms, to secure them against hacking attempts (use a password manager to make them easier to remember).
Last but not least, keep a close eye on bank accounts and credit reports for signs of suspicious activity, and, if possible, set up credit report fraud alerts or security freezes to thwart unauthorized access.
The FBI encourages those victims to report the incidents by filing a complaint with the Internet Crime Complaint Center (IC3).
These complaints should include specific details, such as the identity of the person or company who made contact, the method of communication, and the bank account number or wallet address to which the extortion payment was made.
Earlier this month, the FBI also issued a public service announcement warning of a nationwide increase in ‘phantom hacker’ scams targeting senior citizens across the United States.
Source: www.bleepingcomputer.com