Plastic surgeries across the United States have been issued a warning that they are being targeted by cybercriminals in plots designed to steal sensitive data including patients’ medical records and photographs that will be later used for extortion.
The warning, which was issued by the FBI yesterday and is directed towards plastic surgery offices and patients, advises that extortionists have been using a multi-stage approach to maximise their criminal profits.
Stage one involves data harvesting. This sees malicious hackers infiltrate the networks of plastic surgery offices to exfiltrate sensitive data – including ePHI (electronic protected health information) such as photographs.
As the FBI explains, cybercriminals will typically use spoofed email addresses or disguised phone numbers to dupe unsuspecting staff at a plastic surgery to click on malicious links leading to malware, or hand over login credentials that can then be exploited.
Stage two is, according to the FBI, related to data enhancement. The criminals have already stolen sensitive health information and photos of patients. However, they can increase their leverage over potential blackmail victims by enhancing the data through the use of open-source information, trawling social media accounts, and social engineering techniques.
Stage three is the extortion itself. With the information that has been stolen and collated, criminals contact plastic surgeons and their patients via social media, email, text messages, and demand payment with the promise that if a ransom is paid the stolen sensitive data will not be published.
In some instances, extortionists have been known to start sharing the sensitive data with friends, family, or work colleagues in an attempt to exert pressure – or create websites on the dark web that distribute the stolen information. Criminals say that they will only remove and stop sharing the data if a ransom is paid.
Going to a plastic surgeon can be a deeply personal decision, and many people would feel highly uncomfortable with the notion that malicious hackers not only know their personal information, but also might have photographs of how they appeared “before” and “after” surgery.
That would be bad enough. But imagine knowing that someone has not only seen sensitive photos and information about your plastic surgery, but is also intentionally sharing it with others.
Earlier this year, the notorious BlackCat ransomware group claimed responsibility for a data breach at a Beverly Hills plastic surgery popular with celebrities.
The FBI is urging those targeted by such attacks to file complaints of fraudulent or suspicious activities at the Internet Crime Complaint Center (IC3).
In addition, tips have been offered to better protect those who might be at risk of falling victim:
- Take the time to strengthen the privacy of your social media accounts by reviewing your profile’s settings. Ideally, profiles should be set to private, and there should be a limit one what others can post on your profile. Limit friend connections on social networks to those people you actually know. Where available, enable two-factor authentication to make it harder for a malicious hacker to break into your account.
- Secure online accounts by using unique, strong passwords. Consider using a password manager to help you remember your login credentials, and enable two-factor authentication wherever available.
- Monitor bank accounts and credit reports for any suspicious activity; consider placing a fraud alert or security freeze on your credit reports to prevent unauthorized access.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.