Cybercriminals turning to health-care data

Security researchers with Finjan Software are seeing a growing thirst from cybercriminals for data other than credit-card numbers, with the latest findings including servers containing passwords leading to heath-care records and airline systems data.

The problem is two-fold: sensitive data is being stolen after PCs are infected with malicious software, and then that data sent to unprotected remote servers, said Yuval Ben-Itzhak, chief technology officer for Finjan. The content of those servers is then indexed by search engines, leaving it open to anyone who uses the right query terms.

Finjan recently came across a server located in Malaysia that contained enough information to log in into a Citrix remote-access system belonging to a major U.S. hospital, Ben-Itzhak said. Also found was log-in information for another publicly owned U.S. health-care organization that manages hospitals and other medical clinics.

Finjan didn’t use the information to log in into the organizations’ systems, but there’s a good chance an attacker could use the credentials to gain wide-ranging access to internal systems and possibly medical records, Ben-Itzhak said.

Finjan has reported the breach to U.S. law enforcement, which then will contact the organizations, he said. Finjan also notified Google, which has removed the particular pages from its index.

The use of unprotected servers indicates the hacking is the work of amateurs. “They have no clue how to secure their own server,” Ben-Itzhak said.

U.S. health-care organizations could face fines for failing to safeguard patient information as part of the Health Insurance Portability and Accountability Act.

Patient records could potentially be used to make claims to insurance companies, since the attacker would have access to medical histories and other information needed to file a bogus claim. The payoff could be better than trying to convert credit-card data into cash if the scam works.

In its monthly report , Finjan outlined possible scenarios: criminals could use the information to set up fake clinics, buy controlled prescription drugs, or tamper with health records, putting a patient at risk.

Finjan has seen a decline in the value of credit-card details sold in underground online markets. Credit-card numbers used to sell for $100 to $200, but the price has now declined almost 10-fold. But the reason is bad for consumers: there’s a glut of credit-card numbers on the market, indicating that more people have been victimized, Ben-Itzhak said.

Hackers could demand a higher price for different kinds of data, Ben-Itzhak said. Finjan also found another remote server containing Citrix log-in information for a U.S. airline. Finjan theorizes that logging into the airline’s system could give access to cargo lists, flight schedules, and financial data.