Here's how cybercriminals targeted CRA by using previously stolen credentials
Government offices in Canada became the latest target of cybercriminals in a series of attacks that forced multiple agencies to shut down their online portals for one weekend.
While the offices have since resumed their digital services, the massive breach proves a fundamental lesson in cybersecurity: never recycle an old password.
Authorities reported a total of 300,000 hacking attempts were lodged against at least 24 agencies, including the Canada Revenue Agency (CRA), which processes applications for CERB, the country’s COVID-19 emergency response benefit for out-of-work Canadians.
Of the 12 million personal accounts associated with these government agencies, an estimated 11,200 were compromised – with about 5,600 linked to CRA.
Read more: The most dangerous cyber security mistakes
In one incident, a woman said she had received an email from CRA informing her that her CERB application had been approved despite the fact she had never signed up for the benefit, CTV News reported last week.
How fraudsters attacked government systems
Marc Brouillard, the government’s acting chief information officer, recounted how “a large amount of traffic using a botnet” directly targeted the CRA portal.
The fraudsters’ weapon of choice: credential stuffing.
The automated attack begins with collecting usernames and passwords from across the web. The login info is then reused to gain illegal access to accounts where the same credentials are associated.
People who use the exact same password for accessing their personal/business emails, social media profiles and other subscription accounts are thus more likely to fall prey to this type of attack.
The credentials are typically stolen during previous data breaches, such as phishing or whaling attacks and account takeovers.
In the case of CRA and other agencies, the victims’ login info came from past non-government breaches, according to Scott Jones, who leads Canada’s Centre for Cyber Security.
“They were effective because Canadians reused old passwords on government of Canada systems,” Jones said on CNN.
Password theft and their subsequent reuse in credential stuffing attacks put both organisations and individuals at risk. In 2018 alone, more than 30 billion credential attacks were recorded, according to data from password management specialist 1Password.
Matt Macinnis, whose HR tech company Rippling relies on 1Password, believes employers need to be proactive in keeping these cyberattacks at bay since more workers are shifting to telecommuting.
“As remote work becomes the new normal, businesses have to be more vigilant about protecting data through good password hygiene,” Macinnis said.