In February, The New York State Department of Financial Services (DFS) released guidance on a cyber fraud campaign targeting websites that collect non-public information (NPI). Essentially, fraudsters are exploiting misconfigurations in websites and web applications that collect, process, and transmit NPI – think financial websites that offer instant quotes – such as insurance or lending services.
There have been several confirmed cases of this type of hack starting back in late 2020 and continuing through present day. While this guidance is directed at businesses regulated by DFS, it would be prudent for all businesses that collect NPI in a similar fashion to be aware of this potential threat. It is recommended that any company that utilize this type of auto-quote technology review their website’s configuration and look for indicators or compromise (IOC). The DFS recommends that potentially impacted organizations begin with an effort to:
“Conduct a thorough review of public-facing website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.”
For a full list of the DFS recommendations, you can visit their blog post on this topic by clicking here. Revised guidance, including additional attack methodologies and prevention and remediation methods, were released by DFS on March 30th which can be found by clicking here.
Key Takeaways
Key takeaways from this cyber fraud alert include the exploitation of web debugging tools and the recommendation to implement a web-application firewall (WAF). For more information regarding web-application testing, please visit our Web & Mobile Application Testing Services by clicking below.
Related articles
The NSA Cybersecurity Guide for Remote Workers
In this blog post, we cover a few key recommendations for remote workers from the NSA guide, ‘Best Practices for Securing Your Home Network.’
GraVoc Recognized on CRN’s 2023 MSP 500 List
CRN®, a brand of The Channel Company, has named GraVoc to its Managed Service Provider (MSP) 500 list in the Pioneer 250 category for 2023!
The Cybersecurity Implications of ChatGPT
Is ChatGPT a security risk? In this blog post, we explore the cybersecurity implications of ChatGPT, including the benefits and challenges.