Securing the Digital World

Fraudsters Exploit Benefits Programs in New Round of Global Attacks

May 19, 2020 | by Angel Grant, CISSP |

For years, our industry has tracked and commented on a growing number of data breaches and witnessed some of the nefarious ways that bad actors will leverage compromised credentials. There is now a growing treasure trove of personally identifiable information (PII) and user credentials waiting in the depths of the Dark Web or even in public forums for fraudsters to exploit.

Now, it appears cybercriminals are leveraging stolen data to exploit the current global disruption. According to the U.S. Secret Service, one particular crime ring is using a database of stolen identity data – including Social Security Numbers (SSNs) – to file thousands of fraudulent unemployment insurance claims. 

This is yet another example of why identity is the most consequential attack vector. It’s easily manipulated to conduct new account enrollment and account takeover. For fraudsters, this presents a rich opportunity to abuse the weak identity verification and authentication requirements on many legacy systems in the public sector.

Separately, fraudsters are targeting Australians’ retirement (or superannuation) funds as the government recently granted retirees access to some of their savings to help with hardships. In 2019, Australians lost over $6 million and in the UK, Action Fraud noted the loss of over £800,000 in one week to fraudulent claims using stolen credentials.

The increase in fraud we’re seeing globally is not surprising. Cybercriminals always leverage disruption to make a disruption, just like the FTC warned. Anticipate even more fraud scams like this as we enter the “next normal.”  Many of these types of scams were highlighted by Daniel Cohen, Head of RSA Anti-Fraud Products and Strategy during his recent conversation on “The Download.”

These examples demonstrate the savvy and the speed at which cybercriminals can wreak havoc. Below are some immediate actions organizations can take to align information security strategies to mitigate fraud risks and secure customer data:

  • Monitoring the dark web and open social media forums: The billions of stolen credentials from different sources live in the criminal underground as a surplus of compromised credentials ripe for sale outside of the traditional dark web. Prices for stolen credentials vary and depend on which details are provided.
  • Using infinite factors to determine identity risk: In our interconnected digital world, identities are now made up of infinite factors and everything is part of a credential. Assembling many unrelated attributes and correlating across channels will aid in user profiling to dynamically assess risk of unauthorized access or fraudulent transactions.
  • Preparing for credential stuffing: Criminals are betting that most users will re-use the same email address, user ID and password on multiple websites. Criminals are looking for fast ways to test if the credentials they bought are still valid and on which websites they might work. Put mitigation strategies in places to help identify identity credential testing, which often precedes ATO.
  • Monitoring for identity theft and ATO: Anticipate a spike in unauthorized new accounts and ATO attempts. Recently stolen information is high-quality consumer data and will aid in the ID theft attacks and the creation of synthetic identities. According to RSA, more than 70% of fraudulent payments are performed when a brand new payee is set up, which should scream mule account.
  • Anticipating for a new wave of ransomware: Organizations must determine what data matters most, classify it and make it useless to others with encryption. Cybercriminals don't behave the same way normal site or network users do; they move faster, navigate differently and leave more than one digital trail behind. Consistently identifying and tracking the interactions that occur from the beginning of a web session, through login and transactions helps create a reliable baseline to quickly and effectively discover anomalies and spot advanced attacks.
  • Assessing your Risk Management framework: Do you have a coordinated process between your information security, fraud and risk teams and know how to execute against it? Are you ready in a worst-case scenario? The RSA Risk Frameworks can help you tackle some of the most complex and fast-moving risks emerging in this unprecedented time of business disruption.

In a time of disruption, bad actors will take advantage of chaos and confusion. The RSA FraudAction team reported a surge in Dark Web chatter (like the above) on ways to exploit the current situation. Therefore, it’s time for information security and fraud prevention to be viewed holistically. As fraud expert Neira Jones shared in a previous blog post, these are “two sides of the same coin: the failure to address cyber risk invariably leads to fraud.”

It is more important than ever for information security, risk management and fraud prevention teams to work together to look for anomalous activities.

Recommended for you