Hackers Target 'Instant Quote' WebsitesNew York Warns of Theft of Consumers' Information
Hackers are targeting vulnerabilities in websites offering instant quotes - especially those that provide auto insurance rates - in an ongoing campaign designed to steal consumers' information, according to an alert from the New York State Department of Financial Services .
The alert says hackers are targeting the sites to steal driver's license numbers and other personally identifiable information. The sites affected were not named.
The department first heard about the issue earlier this year and informed 12 auto insurance instant quote sites in January that they were likely targeted.
"Following that alert, six more insurers reported to DFS the malicious targeting of their auto quote websites," the state agency says. "Two of those insurers reported that the attackers failed to gain access to NPI [nonpublic information] and four reported that the attackers did gain access to NPI or that their investigation was still ongoing."
The state agency says the campaign is likely tied to efforts to steal PII to use in fraudulent attempts to apply for pandemic-related benefits and unemployment insurance.
"Notably, the concerted effort to steal NPI from New Yorkers seems to have coincided with the implementation of enhanced identity requirements to obtain pandemic benefits in New York," the alert says.
DFS did not release any information on the number of individuals who have been victimized in these attacks in New York or elsewhere.
Stealing the Data
Fraudsters are using several techniques to infiltrate systems and then steal data from the instant quote websites, the alert says.
"On the auto quote websites, the criminals entered valid name, any date of birth and any address information into the required fields," the state agency says. "The automobile insurance quote websites then displayed an estimated insurance premium quote along with partial or redacted consumer NPI including a driver’s license number. The attackers captured the full, unredacted driver’s license numbers without going any further in the process and abandoned the quote."
The alert says the hackers:
- Take advantage of vulnerabilities in the site to access unredacted PII directly from where it's stored;
- Use developer debug tools to intercept and decode unredacted PII;
- Use web browser developer tools to access the parts of the websites where the redacted data is stored;
- After requesting a quote, enter an order to purchase an insurance policy, using fraudulent payment methods, to view the policy owner's driver's license number and other information;
- Sometimes call an agent and use social engineering techniques to gain personal information.
The DFS Cyber Intelligence Unit has found complete step-by-step instructions to implement these techniques for sale on darknet forums.
Detecting an Attack
The initial telltale sign that a site is being hit with this style of attack is a spike in quote requests tied to an unusually large number of abandoned quotes taking place during a short period, the alert says.
"More broadly, regulated entities should look for any increase in consumer submissions that terminate as soon as NPI is revealed," DFS says.
If such activity is spotted, companies should check their server logs for indications of any manipulation of the website using web developer tools, state officials advise.
To help mitigate the risks, the state agency advises instant quote sites to make sure they're properly using Secure Sockets Layer, Transport Layer Security and HTTP Strict Transport Security and Hypertext Markup Language.
The state agency also suggests companies confirm that the technology they use for redaction and data obfuscation is properly implemented.