The Department of Financial Services (“DFS”) recently learned of a systemic and aggressive campaign to exploit cybersecurity flaws in public-facing websites to steal Nonpublic Information (NPI).[i] The unauthorized collection of NPI appears to be part of a growing fraud campaign targeting pandemic and unemployment benefits. Specifically, the hacks are focused on stealing NPI from public-facing websites that display or transmit consumer NPI.
This includes websites that provide an instant quote such as an auto insurance rate using the consumers’ NPI and displaying redacted NPI back to the consumer, such as a redacted driver’s license number (“Instant Quote Websites”).
DFS urges all regulated entities with Instant Quote Websites to immediately review those websites for evidence of hacking. Even if that NPI is redacted, hackers have shown that they are adept at stealing the full unredacted NPI. DFS has already received several reports from regulated entities that have detected both successful and unsuccessful versions of these cyber-attacks. An overview of hacking techniques seen to date is described below, as well as certain indicators of compromise (“IOCs”) that can signal that an attack has occurred. In addition to data theft targeted at Instant Quote Websites, DFS is aware of increased attempts to steal NPI from other public-facing websites. All regulated entities with public-facing websites that display or transmit NPI – even redacted NPI – should be vigilant and should consider the recommendations below.Regulated entities should remediate any security flaws immediately and are reminded to report Cybersecurity Events pursuant to 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest. DFS also asks that any attempt to steal NPI from any public-facing website be promptly reported to DFS. Reports of unsuccessful attacks have been useful in identifying techniques used by the attackers and enable DFS to respond quickly to new threats to continue to protect consumers and the financial services industry.
The Cyber Fraud
FS first became aware of this cyber campaign when it received reports from two auto insurers in late December 2020 and early January 2021, that cybercriminals were targeting their websites that offer instant online automobile insurance premium quotes (“Auto Quote Websites”) to steal unredacted driver’s license numbers. The insurers first noticed this activity because of an unusually high number of abandoned quotes or quotes not pursued after the display of the estimated insurance premium. On the Auto Quote Websites, the criminals entered valid name, any date of birth and any address information into the required fields. The Auto Quote Websites then displayed an estimated insurance premium quote along with partial or redacted consumer NPI including a driver’s license number. The attackers captured the full, unredacted driver’s license numbers without going any further in the process and abandoned the quote.In January 2021, DFS alerted approximately a dozen regulated entities maintaining Auto Quote Websites that they were likely targets of hackers looking to gain access to New Yorkers’ NPI, specifically driver’s license numbers. Following that alert, six more insurers reported to DFS the malicious targeting of their Auto Quote Websites. Two of those insurers reported that the attackers failed to gain access to NPI and four reported that the attackers did gain access to NPI or that their investigation was still ongoing. We appreciate the engagement of our regulated entities and their prompt response to our earlier, limited alert. This activity appears to be part of an overall increase in efforts to steal NPI, driven in part by increased fraud activity during the pandemic. Since the COVID-19 pandemic started, the U.S. has seen an unprecedented surge in benefits fraud.[ii] DFS has confirmed that, at least in some cases, this stolen information has been used to submit fraudulent claims for pandemic and unemployment benefits. Notably, the concerted effort to steal NPI from New Yorkers seems to have coincided with the implementation of enhanced identity requirements to obtain pandemic benefits in New York.Reports to date have confirmed several methods that criminals used successfully (or attempted to use) to steal NPI from Auto Quote Websites:
- Taking unredacted NPI from the Auto Quote Websites’ Hypertext Markup Language (“HTML”) that was not displayed in the rendered webpage but visible in the HTML.
- Using developer debug tools to intercept and decode unredacted NPI. In some cases, developer tools were used on the public-facing website to access the HTML code and reshape website frames to view hidden NPI.
- Manipulating the technology used to redact portions of NPI by using web browser developer tools to access the parts of the websites that redacted data, therefore fully revealing the NPI on the public-facing website.
- Purchasing a policy, after requesting a quote, using fraudulent payment methods in order to view the policy owner’s information, including his or her driver’s license number.
- Requesting a quote and receiving an agent’s contact information, and then calling the agent and using social engineering to elicit NPI from the agent.
These methods can be applied to any Instant Quote Websites and any websites that display redacted NPI, not just the websites of auto insurers. DFS is aware of evidence that this cybercrime activity is not limited to auto insurance websites.DFS’s Cyber Intelligence Unit also has discovered communications on cybercrime forums offering to sell techniques to access driver’s license numbers from auto insurance websites and step-by-step instructions on how to steal them. Step-by-step instructions for stealing NPI from an auto insurer’s website were also found in an open-source repository, an online public archive for sharing and storing files. DFS’s Cyber Intelligence Unit further discovered similar offers from cybercriminals to sell access to, and techniques for stealing, NPI from public-facing websites of other types of financial services companies, such as mortgage lending providers and credit reporting bureaus.
Detecting Data Theft
All entities with a public-facing website that display or transmit redacted NPI – i.e. that use Instant Quote Websites — are vulnerable to this type of data theft. Any DFS-regulated entity with a website that uses this type of technology immediately should review the following indicators to determine whether their websites have been hacked:(1) Data analytics and website traffic metrics for spikes of quote requests. The initial indicator of unauthorized data collection in the data thefts identified above was often an unusual number of abandoned quotes occurring in a short timeframe, which upon examination revealed a targeted effort to collect NPI that was intended to be redacted. More broadly, regulated entities should look for any increase in consumer submissions that terminate as soon as NPI is revealed.(2) Server logs for evidence of unauthorized access to NPI. After reviewing the time frame of any unusual pattern of many abandoned quotes, the security team will need to review the logs for that period. When examining the logs of a customer session, security teams should check for indications of any manipulation of the website using web developer tools.This is not an exhaustive list of detection methods/IOCs, and regulated entities should also follow their usual procedures for detecting and responding to cyber incidents.
Recommended Steps to Secure Data
Regulated entities should also review whether it is necessary to display any NPI – even redacted – to users, especially on public-facing websites. NPI should not be displayed on public-facing websites unless there is a compelling reason to do so. Some entities that reported these incidents to DFS have already updated their websites to remove all redacted NPI.Entities that maintain any public-facing website that displays or transmits NPI should also take the following steps:
- Conduct a thorough review of public-facing website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.
- Review public-facing websites for browser web developer tool functionality. Verify and, if possible, limit the access that users have may have to adjust, deface, or manipulate website content using web developer tools on the public-facing websites.
- Review and confirm that its redaction and data obfuscation solution for NPI is implemented properly throughout the entire transmission of the NPI until it reaches the public-facing website.
- Ensure that privacy protections are up to date and effectively protect NPI by reviewing who is authorized to see NPI, which applications use NPI, and where NPI resides.
- Search and scrub public code repositories for proprietary code.
- Block the IP addresses of the suspected unauthorized users and consider a quote limit per user session.
Any questions or comments regarding this Alert should be directed to CyberAlert@dfs.ny.gov.[i]See 23 NYCRR § 500.01(g).[ii] According to the U.S. Department of Labor’s Office of the Inspector General, through September 2020, at least $36 billion of the $360 billion expended under the CARES Act could be improper payments and frauds. U.S. Department of Labor, Significant Concerns (Sept. 30, 2020). The New York State Department of Labor also identified over 425,000 fraudulent unemployment claims, which prevented fraudsters from stealing over $5.5 billion. New York State Department of Labor, The New York State Department of Labor Stops Fraudsters from Stealing More Than $5.5 Billion in Unemployment Benefits During Covid-19 Pandemic (Feb. 2, 2021).