COVID-19 has led to increased fraud activity. One of the latest campaigns has seen cyber-criminals stealing data from public-facing insurance websites.
Executives at companies in the financial services sector have a new scam to watch out for.
In the US, the New York Department of Financial Services issued a Cyber Fraud Alert last week warning of a new campaign that’s trying to use flaws & misconfigurations in financial websites in order to gain non-public information or NPI.
NYDFS’ Cyber-Security Division
The US alert, published through NYDFS’ Cyber-Security Division, specifically refers to websites that provide instant quotes, like auto insurance rate websites, that when filled out with consumer information display that sensitive information such as driver’s license numbers back to the user.
That information is being intercepted & stolen by a hacker; the department warns. NYDFS claims the data that is gathered is being used to carry out identity theft through unauthorised pandemic & unemployment benefit claims.
Cyber-Security Regulation
Organisations that are regulated by the NYDFS to do business in New York, including banks, insurance companies, mortgage companies, trust companies, & lenders, have to comply with the department’s Cyber-Security Regulation. The Dept. wants these organisations to stay aware of these new & ongoing cyber-security issues like this campaign.
NYDFS apparently notified a dozen insurance websites that they were being targeted by the campaign last month; last week’s alert is the 1st the public has heard of this campaign.
US Insurance Companies
The alert is especially relevant for US insurance companies who offer rates online – e.g., services like ‘Nationwide’ & ‘Progressive’, & may have website visitors from the State of New York to better detect & deter data theft.
The Department is encouraging CISOs, senior information officers, & data privacy officers at these organisations to review their sites for any evidence of the mentioned activity.
Hacking Techniques
NYDFS included indicators of compromise (IOCs) & hacking techniques to aid in detection.
Apparently, cyber-criminals are using a few techniques to take advantage of how instant quote insurance websites operate in order to steal NPI.
They are taking NPI that may not appear visible on a website but is present in HTML, & they are using developer debug tools to intercept & decode NPI so they can view it & using social engineering in order to trick insurance agents into giving up NPI.
US Pandemic Benefits
It is a fairly recent problem – NYDFS says it received reports from car insurers about the attacks in Dec. 2020 & early Jan. 2021 – triggered by COVID-19 & in New York by recent requirements implemented to receive US pandemic benefits.
Cyber-criminals are making it easy to facilitate the theft, offering tips on how to access driver’s license numbers from websites, how to steal them, & further guidance on how to sell them. It is not just car insurance sites, NYDFS has also seen activity on mortgage lending provider & credit reporting bureau websites.
Recommended Steps
To ensure attackers are not targeting their organisation’s website for user data, NYDFS is encouraging the following steps be followed:
- Conduct a thorough review of public-facing website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS), & HTTP Strict Transport Security (HSTS) & Hypertext Markup Language (HTML) configurations.
- Review public-facing websites for browser web developer tool functionality. Verify &, if possible, limit the access that users may have to adjust, deface, or manipulate website content using web developer tools on the public-facing websites.
- Review & confirm that its redaction & data obfuscation solution for NPI is implemented properly throughout the entire transmission of the NPI until it reaches the public-facing website.
- Ensure that privacy protections are up to date & effectively protect NPI by reviewing who is authorised to see NPI, which applications use NPI, & where NPI resides.
- Search & scrub public code repositories for proprietary code.
- Block the IP addresses of the suspected unauthorised users & consider a quote limit per user session.
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/
