Frank on Fraud: How Credential Stuffing Attacks Target Carmakers

Credential Stuffing

Frank McKenna, Point Predictive’s Chief Fraud Strategist and resident expert on fraud prediction, recently wrote about the risks of credential stuffing in the automotive industry on his personal blog Frank on Fraud. 
 

A recent credential stuffing operation may have affected more than 10,000 accounts at major automakers, Frank writes. 

Credential stuffing cyberattacks involve obtaining usernames and passwords from one organization and using them to commit fraud elsewhere. The technique relies on users’ tendency to reuse the same account credentials across multiple platforms. In this case, credentials sold for $2 each on Telegram, a messaging platform popular for its end-to-end encryption. That price point is a tiny fraction of the $1,000 cost of purchasing a user’s full financial identity, making it a scalable and attractive option for bot-powered fraud. 

With illicitly acquired login details in hand, fraudsters can access user profiles on carmakers’ websites to obtain vehicle data like make, model, registered driver, registration address, and vehicle identification number (VIN).  

Nefarious actors use such details to commit a wide range of fraud and other crimes, including: 

  • Car Cloning: Stolen VINs are used to replicate tags, making stolen cars of the same make and model indistinguishable from originals. Criminals can then obtain fraudulent ownership documents, allowing them to sell cloned cars for profit. 
  • Vehicle Theft: Criminals with legitimate VINs can access manufacturer mobile apps to locate, start, and unlock cars. 
  • Identity Fraud: Cybercriminals can exploit personal details present in many user profiles to commit traditional identity theft. 
  • Auto Loan Fraud: Criminals can duplicate VINs to place liens on cars, obtaining cash from loan agencies. Owners may only discover the fraud years later, when selling the vehicle. They must then resolve the lien for the sale to proceed. 

To read the full post and to keep up-to-date on Frank’s fraud insights, visit frankonfraud.com

Disclaimer: The views expressed in Frank on Fraud are the personal perspectives of Mr. McKenna and do not necessarily represent the views of Point Predictive.