A recent report issued few hours ago, indicates that office of plastic surgeons, and their patients are major targets for threat actors, with intents to harvest PII-Data (Personal Identifiable Information).
In a recent FBI alert (Alert-Number: I-101723-PSA), shocking revelations unfold as threat actors were identified to be raiding plastic surgeon’s offices for precious medical records and patients’ intimate photographs.
The FBI stated that:
“Once successful, cybercriminals use social engineering techniques to enhance the harvested data and extort individuals for cryptocurrency.”
The FBI categorized this as a scam, that comprises of three phases:
Analysing the situation, The FBI categorized this cyberattack as a scam, that comprises of three phases.
The first phase involves data harvesting, whereby the threat actors utilize spoofing techniques to disguise their phone numbers, emails, and then successfully lunch a phishing attack that deploys hidden malware to the targeted plastic surgeon office. Immediately the malware has successfully infected the device belonging to the surgeon, the threat actors then proceeds to harvest the electronically protected Information (ePHI).
The Second phase involves enhancing the data. With the use of open source intelligence tools, and social engineering techniques, the threat actor enhances the ePHI belonging to patients of the compromised surgeon, and proceed to the next stage which is extortion.
The third stage notable shows that the cybercriminal uses various means such as social media accounts, emails, text messages, and other messaging apps to contact both the surgeon, and the patients. An act of urgency and pressure using social engineering is placed across the surgeon and patient stating that if the demands are not met, that these information’s obtained would be made public to both victim’s (patient and surgeon) friends, family, and colleagues. However, if there demands were met, that they would discontinue the ePHI.
As a means to protect themselves the FBI has issued the following mitigation.
- Users should review their social media account privacy settings, and limit visibility to information’s posted on their social media accounts.
- Also audit their friend listings to ensure that they are known to them, in addition that friend request should only be accepted from persons they know, and as well implement two factor authentication.
- The use of complex passwords to secure emails, social media, financial accounts, bill pay. Furthermore password manager should be implemented to help the users in securing and remembering their passwords.
- Additional audit measures include the monitoring of their bank account statement, credit card reports, and immediately contact the respective authority once a suspicious activity is discovered.
The FBI, also instructed the public to report immediately they notice the fraudulent activity. They should get information such as name of the contact person, indicate the method of communication (e.g. website, emails, telephones etc.), and Method by which any financial transaction (e.g. wallet address, bank account number etc.) with the threat actor was conducted.
Please do let us know in the comment section what are your thoughts about this.