Security News > 2021 > March > Scammers steal New Yorkers' private info for benefits fraud
New York's Department of Financial Services warns of an ongoing series of attacks resulting in the theft of personal information belonging to hundreds of thousands of New Yorkers.
Tactics used to steal New Yorkers' private info.
Using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and.
Credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI. Taking unredacted NPI from the Auto Quote Websites' Hypertext Markup Language that was not displayed in the rendered webpage but visible in the HTML. Using developer debug tools to intercept and decode unredacted NPI. In some cases, developer tools were used on the public-facing website to access the HTML code and reshape website frames to view hidden NPI. Manipulating the technology used to redact portions of NPI using web browser developer tools to access the parts of the websites that redacted data, therefore fully revealing the NPI on the public-facing website.
Scammers use the NPI harvested in this large-scale operation to claim various types of benefits in the name of their victims, which has resulted in a massive increase in benefits fraud, according to New York's Department of Financial Services.
NY DFS' cybersecurity division added that the increase of attacks targeting consumers' NPI seems to coincide "With the implementation of enhanced identity requirements to obtain pandemic benefits in New York.".