A new report released by Kasada today found evidence that a successful credential stuffing attack may have been performed against large automotive manufacturers, exposing accounts to fraud and theft.
According to researchers the data is being sold for $2 a piece on a private Telegram Channel.
And it can be used to do a lot of damage
Over 10,000 Accounts Stolen From Large Manufacturer
In just a single week the security researchers at Kasada discovered the availability of 10,000 stolen automotive accounts.
The data appears to have originated from a single large European Automotive manufacturer and is being marketed on underground channels for $2 a piece.
The stolen data gives access to the persons automotive account and it provides fraudsters with access to personal information as well as vehicle data such as car make, model, registered user, address, and vehicle identification number (VIN).
A Shift In Bot Patterns And Now They Are Focused On Cars
Security researchers at Kasada believe that this trend to stealing data on cars is where the hackers are heading.
Sneaker Bots used to be used to buy coveted sneakers online, but now those same bots are being used to attack car manufacturers sites and mobile applications for their valuable data on auto accounts.
How Fraudsters Can Use That Stolen Data
According to Kasada, there are many things that fraudsters are doing with that data. The list is large and you can see why they are concerned.
#1 – They Can Do Car Cloning
Stolen VINs can be used to create replica tags, making it difficult to distinguish stolen cars from the original. They physically replace the original tags on a stolen car. The criminal ensures the replica tag is for the same car make and model. Criminals can then fraudulently obtain ownership documents, such as a title, in order to sell the cloned car for a profit.
Illegal car registration – With a legitimate VIN, fraudsters can apply for duplicate ownership papers. Such papers can be used on other cars that have been stolen or may have been reconstructed. A single VIN can be used to register dozens of stolen vehicles. Fraudsters can then sell the stolen vehicles for a hefty profit with seemingly valid paperwork.
#2 They Can Steal Your Car or Burglarize Your Home
With legitimate VINs, bad actors can link the car to the manufacturer’s mobile app. They can locate the car using GPS location, start the car remotely, and unlock its doors. Vroom vroom… off they go. In addition, a criminal could also learn the owner’s home address and determine whether the owner is at home, potentially leading to other acts of theft.
#3 – They Can Commit Identity fraud
Cybercriminals could use stolen account credentials and the VIN to reset the car account. From there, they can access a wide range of sensitive information, including drivers’ names, phone numbers, email, and physical addresses. This information could be used to inexpensively facilitate identity theft. In addition, social engineering techniques like spearfishing emails can be used to persuade car owners to exchange personal information used to commit other acts of fraud.
#4 They Can Perpetuate Auto Loan Fraud
Criminals can duplicate legitimate VIN numbers and then use that information to put a lien against a car to get cash from loan agencies. This type of fraud goes unnoticed until the actual owner of the vehicle attempts to sell the car, likely years after the fraud occurs. At which time the owner must pay off the lien or attempt to unravel the fraud in order to sell their car.
5 – They Can Commit Mail and phone fraud
Most warranty notifications offered by direct mail and phone are scams. Armed with the make and model of the vehicle, fraudsters offer worthless warranties that seem legitimate preying on the uninformed. The terms of such warranties are loaded with hidden contractual terms that they are unlikely to ever payout in the event of a claim. Armed with a car’s VIN, a fraudster can extend their direct mail and phone activities to recall fraud. The fraudster impersonates the manufacturer claiming a recall notification, only to steal your identity and money.
The Researchers Offer To Help
Security researchers at Kasada are offering a free 90 day scan to companies and they will monitor the dark web for your data.
That offer can be found here – 90 Day Scan