It costs about $1,000 to purchase a person’s identity on the dark web from stolen financial accounts. Why pay $1,000 when it’s only $2 to steal a car’s identity and still make a hefty profit?

Kasada’s Threat Research team found evidence that a successful credential stuffing attack may have been performed against large automotive manufacturers, leaving accounts exposed to fraud and theft. Automated account takeover (ATO) provides bad actors with access to personal information as well as vehicle data such as car make, model, registered user, address, and vehicle identification number (VIN). These customer accounts are then resold illegally within private Telegram communities for profit.

In addition to enabling identity theft, it also provides information for criminals to target theft of particular car makes and models, register stolen vehicles, and take over GPS-enabled mobile apps.

Why Walk When You Can Drive?

From Sneakers to Cars

Much of the botting ecosystem has evolved from scalper bots used to purchase in-demand items such as sneakers, tickets, and gaming consoles. The legality of such bots is gray – whereby the use of bots for tickets is illegal (albeit loosely enforced via BOTS Act of 2016), but other goods and services are not.

The sophistication of these bots used to snag sneakers has shifted to online fraud. The same bots can be easily repurposed to test stolen user credentials and perform account takeover (ATO). Using bots to commit ATO has been an unfortunate reality for most retailers to steal credit cards, gift cards, and loyalty points. However, attackers have realized the profit that can be made by cracking non-retail accounts as well. For example, last year Kasada observed the use of bots to obtain and resell online pharmacy accounts to purchase active subscriptions for controlled substances, such as Adderall and Oxycodone.

Over Ten Thousand Auto Accounts Stolen

In just one week, Kasada researchers discovered the availability of 10,000 stolen automotive accounts in underground marketplaces. All of which targeted a single, large European automotive manufacturer with motorists and vehicles residing within the US. They are located within a private Telegram group and sell for $2 per account. Most notable is the promotion that VIN is included within the account. This was the first time the Kasada research team had seen the availability of such accounts for sale.

After the first week, the same Telegram group expanded their operations to include two major US auto manufacturers, with the total number of accounts available for sale approaching 15,000.

A screenshot of car accounts for sale in a cybercriminal forum found by Kasada Threat Intelligence
Availability of stolen automotive accounts for sale within private Telegram group

How Fraudsters Commit Account Takeovers (ATO) to Sell Stolen Accounts 

With free open-source tools widely available to automatically crack accounts, a bot operator can monetize credential stuffing with very little effort.

Automated account cracking tools, including Open Bullet and OpenBullet2, are loaded with bots and configurations similar to those used for scalping. Cybercriminals use these tools perform a credential stuffing attack on an automotive website or mobile app. By stuffing stolen usernames and passwords, the attacker exploits the fact that consumers reuse the same credentials to log in at different websites. A small percentage of the stolen credentials “work” and allow the attacker to successfully take over accounts with legitimate login credentials.

Once an account is taken over, the attacker also automates the process of extracting its content to eliminate as much human involvement as possible to maximize profitability. In addition to account credentials, some of the other data extracted from accounts include customer email, vehicle make and model, and VIN(s). One can purchase accounts with the make and model of their choosing.
 
Example evidence of stolen account information

What could be done with these accounts after purchasing? 

As you can imagine, there are many ways to commit fraud using stolen auto accounts with VINs. A massive dealership database leak shed light on the vast possibilities for criminals. Here are some examples of how these auto accounts could be used to facilitate theft and fraud:

  1. Car cloningStolen VINs can be used to create replica tags, making it difficult to distinguish stolen cars from the original. They physically replace the original tags on a stolen car. The criminal ensures the replica tag is for the same car make and model. Criminals can then fraudulently obtain ownership documents, such as a title, in order to sell the cloned car for a profit.
  2. Illegal car registrationWith a legitimate VIN, fraudsters can apply for duplicate ownership papers. Such papers can be used on other cars that have been stolen or may have been reconstructed. A single VIN can be used to register dozens of stolen vehicles. Fraudsters can then sell the stolen vehicles for a hefty profit with seemingly valid paperwork.
  3. Car and home theftWith legitimate VINs, bad actors can link the car to the manufacturer’s mobile app. They can locate the car using GPS location, start the car remotely, and unlock its doors. Vroom vroom… off they go. In addition, a criminal could also learn the owner’s home address and determine whether the owner is at home, potentially leading to other acts of theft.
  4. Identity fraudCybercriminals could use stolen account credentials and the VIN to reset the car account. From there, they can access a wide range of sensitive information, including drivers’ names, phone numbers, email, and physical addresses. This information could be used to inexpensively facilitate identity theft. In addition, social engineering techniques like spearfishing emails can be used to persuade car owners to exchange personal information used to commit other acts of fraud.
  5. Loan fraudCriminals can duplicate legitimate VIN numbers and then use that information to put a lien against a car to get cash from loan agencies. This type of fraud goes unnoticed until the actual owner of the vehicle attempts to sell the car, likely years after the fraud occurs. At which time the owner must pay off the lien or attempt to unravel the fraud in order to sell their car.
  6. Mail and phone fraudMost warranty notifications offered by direct mail and phone are scams. Armed with the make and model of the vehicle, fraudsters offer worthless warranties that seem legitimate preying on the uninformed. The terms of such warranties are loaded with hidden contractual terms that they are unlikely to ever payout in the event of a claim. Armed with a car’s VIN, a fraudster can extend their direct mail and phone activities to recall fraud. The fraudster impersonates the manufacturer claiming a recall notification, only to steal your identity and money.

Credential Stuffing Impacts All Industries

Credential stuffing attacks are not limited to any specific industry. Attackers target a wide range of sectors, from automotive, eCommerce, financial services, and social media. Any platform that relies on user accounts and passwords is susceptible to credential stuffing and ATOs. Account takeovers continue to be a problem as automation is an effective and highly scalable means to generate a profit. Consumers continue to use the same credentials for different accounts which is the root cause as to why accounts are stolen and put up for sale. Another lesser-known reason why ATO continues to be a problem is that new adversarial techniques, such as solver services and AI-enabled CAPTCHA bypasses, evade traditional anti-bot detections.

Steps you can take to protect your organization:

  1. Activity monitor your systems for signs of account takeovers and unusual login activity. By identifying compromised accounts early, you can protect your data and customers.
  2. Enable multi-factor authentication (MFA). While MFA isn’t a silver bullet, it is part of a defense-in-depth approach that makes it more challenging for attackers to gain unauthorized access even with stolen credentials.
  3. Implement policies that lock out accounts after a certain number of failed login attempts, which can deter bad actors.
  4. Enforce strong password policies, including requirements for complex and unique passwords. We strongly recommend using a secure password manager as well.
  5. Invest in robust bot detection and mitigation to identify and stop malicious bot traffic, even in the face of evolving evasion techniques. 

Is your business a target of automated credential stuffing attacks? Request a free 90-day scan to see if your company has stolen accounts up for sale within the underground communities we monitor.

And if you’re a consumer reading this – stop reusing passwords and change them often!

Want to learn more?

  • Kasada’s Reflections on the Q3 2024 Forrester Wave™ – Bot Management Evaluation

    Kasada named a Strong Performer. Here are some of our own reflections having taken part in this evaluation.

  • Exposing the Credential Stuffing Ecosystem

    Through our infiltration of the credential stuffing ecosystem, we reveal how various individuals collaborate to execute attacks and expose vulnerabilities for profit.

Beat the bots without bothering your customers — see how.