Scammers Steal New Yorkers’ Private Info For Benefits Fraud

New York’s Department of Financial Services (DFS) warns of an ongoing series of attacks resulting in the theft of personal information belonging to hundreds of thousands of New Yorkers.

The warning follows another alert issued last month describing how this aggressive cybercrime campaign exploits cybersecurity flaws found in public-facing websites to steal Nonpublic Information (NPI).

The attacks fuel an increasingly large fraud campaign claiming pandemic and unemployment benefits using the stolen nonpublic information.

To make it easier to understand the scale of the problem, the New York State Department of Labor prevented fraudsters from stealing over $5.5 billion in unemployment benefits since the start of the pandemic after identifying more than 425,000 fraudulent unemployment claims.

Additionally, at least $36 billion of the $360 billion expended under the CARES Act through September 30, 2020, could be improper payments that can largely be attributed to fraud as reported by the US Department of Labor’s Office of the Inspector General.

Tactics used to steal New Yorkers’ private info

“This cybercrime campaign is a serious threat to the personal information of New Yorkers, and we urge all personal lines insurers and other financial services companies to take aggressive action to prevent the further loss of consumer information,” NY DFS’ cybersecurity division said.

“All financial services companies should immediately check for any evidence of this cybercrime and ensure that they have implemented of the robust access controls required by DFS’s cybersecurity regulation, 23 NYCRR 500 et seq.

Companies targeted by these attacks are asked to immediately take action to protect New Yorkers’ data from this ongoing campaign.

“We urge personal lines insurers and other financial services companies to avoid displaying prefilled NPI on public-facing websites considering the serious risk of theft and consumer harm,” the state’s DFS said.

The threat actors focus their attacks on insurance agent portals and Instant Quote Websites hosted by auto insurers and other financial services companies where consumers’ NPI is automatically prefilled using data prefill systems.

They are using multiple methods to harvest their targets’ NPI (the first two are recently added tactics):

• Using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and
• Credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI.
• Taking unredacted NPI from the Auto Quote Websites’ Hypertext Markup Language (“HTML”) that was not displayed in the rendered webpage but visible in the HTML.
• Using developer debug tools to intercept and decode unredacted NPI. In some cases, developer tools were used on the public-facing website to access the HTML code and reshape website frames to view hidden NPI.
• Manipulating the technology used to redact portions of NPI using web browser developer tools to access the parts of the websites that redacted data, therefore fully revealing the NPI on the public-facing website.
• Purchasing a policy after requesting a quote, using fraudulent payment methods to view the policy owner’s information, including his or her driver’s license number.
• Requesting a quote and receiving an agent’s contact information, and then calling the agent and using social engineering to elicit NPI from the agent in vishing attacks

Benefits fraud surge

The NPI stolen by the attackers behind this campaign includes consumers’ name, date of birth, address information, driver’s license number, vehicle make, vehicle model, vehicle identification number (VIN), and household members’ associated data.

Scammers use the NPI harvested in this large-scale operation to claim various types of benefits in the name of their victims, which has resulted in a massive increase in benefits fraud, according to New York’s Department of Financial Services.

NY DFS’ cybersecurity division added that the increase of attacks targeting consumers’ NPI seems to coincide “with the implementation of enhanced identity requirements to obtain pandemic benefits in New York.”

There is also a high chance that the stolen private information could get into the hands of identity thieves. The US Federal Trade Commission (FTC) says that the number of identity theft reports doubled in 2020 compared to 2019, with a record of 1.4 million reports within one year.

While New Yorkers targeted by this cybercrime campaign can’t protect their NPI from being harvested and used for fraud, targeted companies can take mitigation measures to fend off these ongoing attacks by:

• disabling prefill of redacted NPI, install a Web Application Firewall (WAF), 
• implementing CAPTCHA to block bots, 
• improving access controls for agent portals (add MFA support, switch to more robust password policies, and limit login attempts),
• training their agents and employees to spot social engineering attacks,
• limiting access to NPI only to those employees who need it,
• waiting until payments have cleared before issuing a policy, 
• protecting NPI received from data vendors.