The FBI is warning that cybercriminals are using spoofed emails and phone numbers to target plastic surgery practices across the United States for extortion in phishing attacks that spread malware.
After gaining access to their networks, the attackers steal data from compromised systems, which they use to extort surgeons and patients.
The documents stolen in these breaches can contain very sensitive data, including personally identifiable information, sensitive medical records and, in some cases, intimate photographs taken for medical purposes.
Once they have this data, they add more information to the stolen ePHI using open source information, such as social media details, to make their extortion attempts more convincing.
“Cybercriminals use open source information, including social media, and social engineering techniques to enhance the harvested ePHI of plastic surgery patients,” the FBI said.
“Cybercriminals use the enhanced data as leverage for Phase 3 extortion and may use it for other fraud schemes.”
They then contact plastic surgeons and patients via social media, email, text messages or messaging apps, threatening to release the sensitive ePHI unless an extortion payment is made in cryptocurrency.
To put even more pressure on victims, cybercriminals may also share this sensitive data with victims’ friends, family, or colleagues, and create public-facing websites that display the information.
Attackers may also promise victims that they’ll stop sharing electronic protected health information (ePHI) once they receive the extortion payment.
