Endpoint
4/14/2017
10:00 AM
Vitali Kremez
Vitali Kremez
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Health Savings Account Fraud: The Rapidly Growing Threat

As income tax season comes to a close, financially-motivated cybercriminals are honing new tactics for monetizing medical PII.

While information security and anti-fraud teams remain on high-alert for potential indicators of income tax fraud, given the rapidly approaching April 18th filing deadline, a lesser-known yet serious threat with ties to both income tax fraud and 2016’s healthcare breaches continues to emerge: health savings account (HSA) fraud.

HSA fraud in and of itself is nothing new, but the threat has evolved substantially in credibility, complexity, and frequency since 2016. More specifically, the unprecedented surplus of stolen medical records currently offered for sale on Deep & Dark Web marketplaces has created financial difficulties for many cybercriminals who have traditionally relied on the profits generated from selling medical personal identifiable information or PII.

Threat actors who purchase so-called "fullz" or full listings of PII, typically utilize this data to commit various types of fraud. However, as demand for bulk medical fullz is not rising in tandem with the increased availability and declining sale prices of such information, many cybercriminals have sought out different ways of identifying the most valuable records for use in more profitable fraudulent activities such as HSA fraud.

This renewed interest in HSA fraud first emerged around September 2016, when one of the most prolific actors attacking healthcare institutions, known as "cr00k," suggested using stolen healthcare information to target valuable HSAs. Such attacks soon grew into an emerging trend among various low-tier cybercriminals in possession of medical PII. In order to identify higher-value HSA accounts, cybercriminals typically utilize various free credit reporting and financial management platforms to access victims’ credit scores and gauge their financial status.

To create or look up accounts on these types of platforms, cybercriminals must be in possession of the victim’s fullz, obtained from compromised healthcare institutions. Some cybercriminals use this information to target valuable HSAs directly whereas others may sell victims’ credit reports packaged with their medical fullz for substantially higher prices. cr00K in particular has been known to sell such information for HSA fraud for as high as $80-$100 per account record; accounts with higher credit scores tend to fetch higher prices, and vice versa.

Image Source: Lightspring via Shutterstock
Image Source: Lightspring via Shutterstock

In addition to the widespread availability of medical fullz on the Deep and Dark Web, the current composition of the US health insurance landscape may also be another factor contributing to cybercriminals’ renewed interest in HSA fraud. As health insurance costs continue to rise, more individuals are opting to purchase high-deductible health insurance plans, which tend to have less expensive monthly premiums.

HSAs are only available for individuals covered by high-deductible insurance plans, so as these plans become more popular, HSAs also become more popular. Recent estimates suggest that there are over 20 million existing HSA accounts that hold nearly $37 billion in assets, which represents a year-over-year increase of 22% for HSA assets and 20% for accounts. These figures raise concerns over the potentially larger population of individuals susceptible to HSA fraud, which remains more difficult for both victims and financial institutions to detect and mitigate for three reasons:

  • Access to victims’ fullz -- which typically include their social security numbers and mothers’ maiden names -- can enable fraudsters to change HSA account passwords, gain illicit access to funds, and transfer them from the account. To further evade detection and bypass financial institutions’ anti-fraud measures, some fraudsters even transfer HSA funds onto prepaid cards opened in the victim’s name.
  • Unlike other types of tax-free health-related accounts, HSA funds roll over from year to year, earn interest, and don’t expire. As such, many individuals treat HSAs like normal savings accounts and may not check their account balances routinely, if ever. In fact, numerous reports have surfaced from individuals who were not aware that their HSA accounts had been compromised until months later.
  • Not only does late detection of HSA fraud make it more difficult for financial institutions to investigate incidents and bring wrongdoers to justice, but a U.S. federal law holds financial institutions liable for lost funds only if the account holder reports the incident within 60 days of its occurrence.

Unfortunately for victims of HSA fraud, the abuse of their medical PII may continue to persist as financially motivated cybercriminals come to recognize that individuals with valuable HSAs may also be lucrative targets for income tax fraud. And while the IRS has strengthened anti-fraud measures in anticipation of increased levels of income tax fraud, cybercriminals with access to individuals’ medical fullz and credit reports can often leverage such information to bypass these measures.

For example, while the IRS has recently implemented a PIN system to reduce instances of identity theft and fraud, cybercriminals who have previously gained access to victims’ email accounts can reset and/or retrieve victims’ PINs via their emails. As an additional measure, the IRS also includes security questions such as "What is your mother’s maiden name?" which, again, may be easy for cybercriminals with access to victims’ medical fullz to answer and bypass.

The most effective way to avoid becoming a victim of HSA, tax, and other types of fraud is to prevent your PII from becoming compromised in the first place. However, we all know that this is far easier said than done. The reality is, the string of large-scale data breaches that struck the healthcare and other sectors in recent years has already inundated the Deep and Dark Web with millions of PII records, which means that many of us have already had our PII compromised in some capacity — whether we know about it or not. The best course of action to detect and mitigate any instances of fraud is to closely monitor the balances and activity within all our personal and financial accounts, including HSAs, bank accounts, credit reports, and tax returns. While it may be nearly impossible to prevent all instances of fraud, swiftly detecting and reporting potential indicators of compromise is integral to reducing the extent of any damages.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content: 

 

Vitali Kremez is director of research at Flashpoint. He specializes in researching and investigating complex cyberattacks, network intrusions, data breaches, and hacking incidents mainly emanating from the Eastern European cybercriminal ecosystem. He has earned the majority ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
4/17/2017 | 3:24:26 PM
When PII is compromised, Identity is Everything
Great article to show how hackers think ahead of us.  As we are preparing to submit - hopefully with increased security- our taxes tomorrow, hackers are already looking at more lucrative personal information.  The FSA are the next target and are not yet a commodity on the dark net based on the prices listed in this article. 

We just have to brace oursleves and be extra vigilent about giving away our PII to too many organizations out there who really do not need it. For example: registration for my son kindergarten next year required a copy of his SSN.  I refused to provide it to the school as there is absolutely no reason for them to store that data.  They were cool with my answer...So yes we need to be vigilant and learn to say "no, sorry. You have to prove me you need that information from me before i hand it to you."
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.