At a glance.
- Data breach reported at General Motors.
- New extortion group uses publicity as leverage.
Hackers take a joy ride with General Motors customer reward points.
US automobile manufacturer General Motors (GM) has disclosed it suffered a credential stuffing attack last month impacting an online platform that assists owners of Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills and redeem rewards points. Information Security Magazine reports that the attackers not only accessed customer data, but in some cases they redeemed the victims’ rewards points to snag gift cards. “Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself," GM said in a data breach notification. "We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer's GM account." The impacted data includes names, email addresses, home addresses, usernames, phone numbers, last known and saved favorite location information, and profile pictures. GM stated that it will be restoring rewards points for all impacted customers, and has advised all users to reset their passwords and request credit reports from their banks.
Uriel Maimon, VP of Emerging Products at PerimeterX, commented:
“With the recent attack on wedding planning startup Zola, and now GM, credential stuffing attacks continue to fuel the web attack lifecycle, potentially using these stolen user credentials on other e-commerce sites. We can expect that these credentials will soon be tested on other apps that we use daily to power our lives. The responsibility lies on app providers and website owners to make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks. This means stopping the theft, validation and fraudulent use of account and identity information everywhere along a consumer’s digital journey. Once cyber criminals have access to accounts, they can purchase goods, cash in loyalty points, sell the credentials on the dark web, or even take out lines of credit. Malicious login attempts out of total logins trended upwards during 2021, reaching a staggering 93.8% of all login attempts in August, which was an 8% increase on the 2020 peak.
"This is the new frontier of information security: attackers have gained access to these users’ accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites. And yet despite that fact, organizations have a legal and ethical obligation to safeguard the personal and financial information of their users. This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks, but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers.”
New extortion group uses publicity as leverage.
The newest data extortion group on the block is RansomHouse, a darknet site where threat actors publish evidence of data theft and leak the info of organizations that refuse to meet ransom demands. As Bleeping Computer explains, the group sets itself apart by claiming they use no malware, instead infiltrating networks by exploiting existing vulnerabilities. What’s more, they put the blame on the target companies for not finding those vulnerabilities before the hackers do. On RansomHouse’s “About Us” page they explain, "We believe that the culprits are not the ones who found the vulnerability or carried out the hack, but those who did not take proper care of security. The culprits are those who did not put a lock on the door leaving it wide open inviting everyone.” RansomHouse’s first hit is believed to be the Saskatchewan Liquor and Gaming Authority, listed on the extortion site last December, and the most recent is a German airline support service provider. Clearly focused on using publicity as a bargaining chip, the group also posts links to media coverage of their attacks. Furthermore, posts found promoting RansomHouse on the Lapsus$ gang’s Telegram channel indicate that the new operation is also interested in selling their bounty to other threat actors. While RansomHouse is still small, with only four alleged attacks, the up-and-comers should be on everyone’s radar.