Technology

Thousands of government service and CRA accounts hit by credential stuffing attack

With files from Howard Solomon

 

The Government of Canada says thousands of GCKey service and Canada Revenue Agency income and business tax accounts have been slammed with multiple credential stuffing attacks.

Used by roughly 30 federal departments, GCKey lets Canadians access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. The Treasury Board of Canada Secretariat says that of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were obtained fraudulently and used to try and access government services. A third of those hacked accounts accessed government services and are being “further examined for suspicious activity.”

Also:

Nearly 70% of fraud phishing attacks are directed at Canada: RSA report

 

The bad news continues. Approximately 5,500 CRA accounts were targeted as part of the GCKey attack and another recent “credential stuffing” attack aimed at the CRA, according to an Aug. 15 press release. 

“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” it reads.

The RCMP is investigating, and the federal Privacy Commissioner has been contacted and alerted to possible breaches. But as of August 15th, it was unclear if any info was obtained from the attack. CBC News reports that several Canadians say email addresses associated with their CRA accounts had been changed, their direct deposit information altered and that COVID-19 aid payments under the Canada Emergency Response Benefits payments had been issued in their name even though they had not applied for the benefit.

The CRA says affected users will be contacted directly.

IT World Canada has reached out to the Treasury Board of Canada Secretariat to confirm the exact number of affected CRA accounts and will update the story upon confirmation. A CRA spokesperson declined a request for an interview and instead referred a reporter to Saturday’s press release.

That release says CRA is prioritizing calls from the victims of the attacks and is answering calls as quickly as possible. When calling the CRA, the statement says, impacted individuals can select the “report suspected fraud or identity theft” option to expedite their call to a specialized agent appropriately trained to handle these priority calls.

To prevent access to other online government accounts, the link between CRA My Account and My Service Canada Account has temporarily been disabled.

CRA says to help reduce the risk of cyberattacks residents should always use a unique password for all online accounts. “Do not reuse the same password for different systems and applications and regularly monitor all online accounts for suspicious activity.”

The attacks raise the question of why Ottawa doesn’t force all users who register for online services to use two-factor authentication. In an email Brett Callow, a British Columbia-based threat analyst for Emisoft noted that federal websites offer multiple login options, including sign-in via financial institution and provincial government accounts. “While this may be convenient, it results in an expanded attack surface and increases the opportunity for exploitation as the credentials used for logging into those third-party services could, if compromised, be used to improperly access federal government’s services. The government may well need to re-think this strategy as well as consider implementing multi-factor authentication to further secure accounts.

“This incident also demonstrates how important it is for people not to re-use passwords and to use multi-factor authentication wherever it’s offered. Breaches are extremely common and credential stuffing attacks, which make use of the credentials stolen in those breaches, are extremely common too. Practicing good password hygiene is the best way to protect yourself from experiencing the inconvenience of your accounts being compromised.”
The quickly-deployed COVID-19 benefits programs offered by governments around the world are prime targets for hackers because of huge sums of money involved. In May the CRA issued alert warning residents that scammers not to reply to text messages saying they have received a deposit for the CERB. This was followed by an alert issued by the Canadian Anti-Fraud Centre.
Also in May our Cyber Security Today podcast reported the discovery by Kela Research of a CERB cheque scam, with criminals selling editable digital copies of CERB cheques on the dark web. A criminal can either purchase a digital file and fill in their own name or have a criminal service do the editing for them. Typically the cheque is put into a bank by a mobile deposit in what is called a “drop” account, one of a number accounts that has been opened by criminals some time ago with fake ID and are used for transferring money. Criminals often buy and sell drop accounts from each other.
Opposition critics have complained the government rushed the CERB program without checks and balances to prevent fraud.
The New York Times reported in May that group of international fraudsters appeared to have mounted an immense, sophisticated attack on U.S. unemployment systems to siphon millions of dollars in COVID-19 related-payments. “The attackers have used detailed information about U.S. citizens, such as social security numbers that may have been obtained from cyber hacks of years past, to file claims on behalf of people who have not been laid off, officials said.”
Last month the FBI reported a spike in fraudulent U.S. unemployment insurance claims complaints related to the pandemic involving the use of stolen personally identifiable information.



Source link

50 % Coupon CodeRedeem now