Recently, there has been an increase in cybercrime against financial services companies in New York. The New York Department of Financial Services has sent an alert about the threat to NY-based organizations, but one can only assume this threat also impacts companies outside of New York.
The attackers are targeting their public-facing websites of financial services companies to harvest Nonpublic Information (NPI). The NPI includes consumers' names, dates of birth, addresses, driver's license numbers, the vehicle makes and models, vehicle identification numbers, and household members' data. But the question is, what are these attackers doing with this information, and what can the target companies do to protect their consumers' data?
Once a consumer's NPI has been stolen, an attacker can then use that information to fraudulently claim benefits, such as unemployment, in the victim's name. The threat actors in this fraud campaign use the following methods to obtain a victims' NPI:
Fortunately, the New York State Department of Financial Services (DFS) has provided companies with some suggestions to protect themselves from becoming the attackers' next victim. In general, the DFS recommends that financial service companies check to see if they have implemented all access controls detailed in DFS' cybersecurity regulation 23 NYCRR 500. If they have not, they urge these companies to implement them as soon as possible.
In addition to implementing the controls outlined in DFS's regulation, organizations can;
Although intended for financial services firms, these recommendations are also recommended for any organization with Internet-facing systems containing NPI, PII, etc.