In February, The New York State Department of Financial Services (DFS) released guidance on a cyber fraud campaign targeting websites that collect non-public information (NPI). Essentially, fraudsters are exploiting misconfigurations in websites and web applications that collect, process, and transmit NPI – think financial websites that offer instant quotes – such as insurance or lending services.
There have been several confirmed cases of this type of hack starting back in late 2020 and continuing through present day. While this guidance is directed at businesses regulated by DFS, it would be prudent for all businesses that collect NPI in a similar fashion to be aware of this potential threat. It is recommended that any company that utilize this type of auto-quote technology review their website’s configuration and look for indicators or compromise (IOC). The DFS recommends that potentially impacted organizations begin with an effort to:
“Conduct a thorough review of public-facing website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.”
For a full list of the DFS recommendations, you can visit their blog post on this topic by clicking here. Revised guidance, including additional attack methodologies and prevention and remediation methods, were released by DFS on March 30th which can be found by clicking here.
Key Takeaways
Key takeaways from this cyber fraud alert include the exploitation of web debugging tools and the recommendation to implement a web-application firewall (WAF). For more information regarding web-application testing, please visit our Web & Mobile Application Testing Services by clicking below.
Related articles
Change Healthcare Attack: Ransomware Protection Measures for Healthcare Organizations
In light of the Change Healthcare attack, we explore why hackers target healthcare and how healthcare can defend against ransomware.
GraVoc Recognized on CRN MSP 500 List for Second Year in a Row
For the second year in a row, GraVoc has been recognized on the CRN® MSP 500 list in the Pioneer 250 category!
PCI SAQ Types: Which SAQ is Right for Your Business?
In this blog post, we provide an overview of the SAQ types for PCI DSS v4.0 and how to select a PCI SAQ that’s right for your business.