Back in the 1960’s my Dad had an insurance salesman who was a real boring guy. No expression, just sold insurance; to which so many didn’t even want to discuss anyway. Those days are long gone. Now everything is so impersonal – just like the boring insurance salesman (maybe he knew something we did not). So, when you get an on-line solicitation for a free insurance quote, many jump at the chance of NOT having to talk to a boring insurance salesperson. Hackers are targeting vulnerabilities in websites offering “Instant” insurance quotes, especially those that provide auto insurance rates in an ongoing campaign designed to steal consumers' information, according to an alert from the New York State Department of Financial Services. The alert warn hackers are targeting the sites to steal driver's license numbers and other personally identifiable information. The sites affected were not named. The department first heard about the issue earlier this year and informed 12 auto insurance instant quote sites in January 2021 that they were likely being targeted.
"Following that alert, six more insurers reported to NYSDFS the malicious targeting of their auto quote websites," the state agency spokesperson stated. "Two of those insurers reported that the attackers failed to gain access to NPI [nonpublic information] and four reported that the attackers did gain access to NPI or that their investigation was still ongoing." The state agency says the campaign is likely tied to efforts to steal PII to use in fraudulent attempts to apply for pandemic-related benefits and unemployment insurance. Notably, the concerted effort to steal NPI from New Yorkers seems to have coincided with the implementation of enhanced identity requirements to obtain pandemic benefits in New York," the alert stated. NYSDFS did not release any information on the number of individuals who have been victimized in these attacks in New York or elsewhere.
On-line criminals are using several techniques to infiltrate systems and then steal data from the instant quote websites, the alert says. "On the auto quote websites, the criminals entered valid name, any date of birth and any address information into the required fields," the state agency spokesperson stated. "The automobile insurance quote websites then displayed an estimated insurance premium quote along with partial or redacted consumer NPI including a driver’s license number. The attackers captured the full, unredacted driver’s license numbers without going any further in the process and abandoned the quote."
The alert emphasizes hackers:
- Take advantage of vulnerabilities in the site to access unredacted PII directly from where it's stored;
- Use developer debug tools to intercept and decode unredacted PII;
- Use web browser developer tools to access the parts of the websites where the redacted data is stored;
- After requesting a quote, enter an order to purchase an insurance policy, using fraudulent payment methods, to view the policy owner's driver's license number and other information;
- Sometimes call an agent and use social engineering techniques to gain personal information.
The NYSDFS Cyber Intelligence Unit has found complete step-by-step instructions to implement these techniques for sale on darknet forums. The initial revealing sign that a site is being hit with this style of attack is a spike in quote requests tied to an unusually large number of abandoned quotes taking place during a short period, the alert says. "More broadly, regulated entities should look for any increase in consumer submissions that terminate as soon as NPI is revealed," NYSDFS noted.
If such activity is spotted, companies should check their server logs for indications of any manipulation of the website using web developer tools, state officials advise. To help mitigate the risks, the state agency advises instant quote sites to make sure they're properly using Secure Sockets Layer, Transport Layer Security and HTTP Strict Transport Security and Hypertext Markup Language. The state agency also suggests companies confirm that the technology they use for redaction and data obfuscation is properly implemented.
Or you can get the support of Red Sky Alliance to scour these dark forums to see if you site is being targeted and stolen pii is being bought and sold. Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Call for assitance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/3702558539639477516
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments