As if working more or less remotely for almost a year now hasn't presented enough challenges, executives at companies in the financial services sector have a new scam to look out for.

The New York Department of Financial Services issued a Cyber Fraud Alert last week warning of a new campaign that's trying to leverage flaws and misconfigurations in financial websites in order to glean nonpublic information or NPI.

The alert, pushed out via NYDFS’ Cybersecurity Division, specifically calls out websites that provide instant quotes, like auto insurance rate websites, that once filled out with consumer information display that sensitive information like driver's license numbers back to the consumer. In these scenarios, that information is being intercepted and stolen by a hacker, the department warns. NYDFS claims the data that's gathered is being used to carry out identity theft through unauthorized pandemic and unemployment benefit claims.

Organizations that are regulated by the NYDFS to do business in New York, including banks, insurance companies, mortgage companies, trust companies, and lenders, have to comply with the department's Cybersecurity Regulation. It's not a surprise that the department wants these organizations to stay in the loop around new and ongoing cybersecurity issues like this campaign.

NYDFS apparently notified a dozen insurance websites that they were being targeted by the campaign last month; last week's alert is the first the public has heard of the campaign.

The alert is especially relevant for insurance companies who offer rates online - services like Nationwide and Progressive for example – and may have website visitors from the state of New York to better detect and deter data theft.

The department is encouraging CISOs, senior information officers, and data privacy officers at these organizations to review their sites for any evidence of the aforementioned activity. NYDFS included indicators of compromise (IOCs) and hacking techniques to aid in detection.

Judging by the letter it sounds like cybercriminals are using a few techniques to take advantage of how instant quote insurance websites operate in order to steal NPI. They're taking NPI that may not appear visible on a website but is present in HTML, they’re using developer debug tools to intercept and decode NPI so they can view it, and using social engineering in order to trick insurance agents into giving up NPI.

It’s a fairly recent problem – NYDFS says it received reports from car insurers about the attacks in December 2020 and early January 2021 – sparked by COVID-19 and in New York by recent requirements implemented to receive pandemic benefits.

For the uninitiated, cybercriminals are making it easy to facilitate the theft, offering tips on how to access driver's license numbers from websites, how to steal them, and further guidance on how to sell them. It's not just car insurance sites, NYDFS has also seen activity on mortgage lending provider and credit reporting bureau websites.

To ensure attackers aren’t targeting their organization’s website for user data, NYDFS is encouraging the following steps be followed:

• Conduct a thorough review of public-facing website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.
• Review public-facing websites for browser web developer tool functionality.  Verify and, if possible, limit the access that users may have to adjust, deface, or manipulate website content using web developer tools on the public-facing websites.
• Review and confirm that its redaction and data obfuscation solution for NPI is implemented properly throughout the entire transmission of the NPI until it reaches the public-facing website.
• Ensure that privacy protections are up to date and effectively protect NPI by reviewing who is authorized to see NPI, which applications use NPI, and where NPI resides.
• Search and scrub public code repositories for proprietary code.
• Block the IP addresses of the suspected unauthorized users and consider a quote limit per user session.