Researchers have found almost 15,000 automotive accounts for sale online and pointed at a credential-stuffing attack that targeted car makers.
The team at Kasada did not name the car manufacturers in question, only saying that the first 10,000 accounts “targeted a single, large European automotive manufacturer with motorists and vehicles residing within the US.”
Researchers discovered the stolen accounts in a private group on OTT app Telegram, which soon expanded to include accounts from two major US car makers, bringing the total number for sale to nearly 15,000.
And the price? $2 per account. Significantly, the VIN (vehicle identification number) was included in the sale. This represented the first time the Kasada team had seen such information available for purchase.
While purchasing personal information has long been possible, getting hold of a car’s identity represents a new avenue toward profit for criminals.
A VIN can be used to create replica license information that can then be applied to stolen cars; it can be used for nefarious registration purposes and, in some cases, to connect to a car maker’s mobile app to unlock a vehicle or perform other activities.
All manner of fraud is also possible, including loan fraud – where criminals might use the information to tie a loan to a car – or identity fraud, where the VIN and stolen account credentials are used to reset a car account from where information such as the names of drivers, phone numbers, and physical address can be extracted.
As Reg readsers know, a credential-stuffing attack occurs when criminals use automation to log into accounts with stolen credentials. The method exploits users’ habit of reusing the same password over multiple sites. The team at Kasada said: “A small percentage of the stolen credentials ‘work’ and allow the attacker to successfully take over accounts with legitimate login credentials.”
Once in, the process of extracting information, such as the vehicle make, model and VIN, is also automated to speed things along.
The research comes a week after Mozilla declared cars from 25 automakers “data privacy nightmares on wheels.” Kasada’s findings demonstrate that as well as understanding the data being collected by cars, customers should also be wary of account configuration at car makers.
Kasada noted that credential-stuffing attacks affected all industries due to customers reusing passwords. Not helping is the appearance of services such as AI-enabled CAPTCHA bypasses to help criminals dodge anti-bot detection.
Solutions include customers considering password managers to prevent password reuse or implementing multi-factor authentication (MFA) on accounts. While the latter is not a silver bullet, it does make things more challenging for attackers. ®