Parliament Hill at dusk over water in Ottawa, Canada showing credential stuffing attack

Credential Stuffing Attack on Canada Revenue Agency Impacts Thousands

A relatively small credential stuffing attack successfully hit the Canadian government this month, compromising thousands of accounts in both the Canada Revenue Agency (CRA) and the public-facing GCKey service. In total, about 14,500 accounts were compromised with a more limited amount used to access government services for purposes of fraud.

Though not one of the larger attacks of this nature in terms of overall credential count, those that were compromised had highly sensitive financial and personal information exposed to the attackers. The breach serves as another reminder that credential stuffing attacks remain a serious problem due to substantial numbers of people continuing to reuse account names and passwords in spite of years of very public warnings.

Credential stuffing attack nabs government employee accounts, citizen tax information

The Canadian government has confirmed the details and scope of the breach. About 5,500 CRA accounts were compromised, along with those of about 9,041 users of the GCKey service. Of the compromised GCKey accounts, the government estimates that about a third were used to fraudulently access government services.

GCKey is used across multiple Canadian government departments and allows citizens to access a variety of different services: the My Service Canada portal used for things such as unemployment insurance claims and pension plan management, accounts for immigrants and refugees to navigate legal obligations and social services, and passport and visa services among other options. Over 12 million residents of Canada make use of the service.

As one might imagine, there is quite a bit of very damaging personal and financial information available via these services. The thousands of accounts that were breach appear to be those that were using username and password combinations that were exposed in other breaches of unknown origin. Those that were compromised have been notified at this point and are receiving a new GCKey. All affected accounts were disabled once the government learned of the attack.

The Canadian Centre for Cyber Security (Cyber Centre) issued a statement adding that the various government agencies that make use of GCKey are reviewing the “systems and tools” in place to deter and neutralize threats of this nature. The Cyber Centre also issued some general security advice to Canadians — keep on top of patches and operating system updates, ensure each personal account has strong unique passwords, make use of multi-factor authentication and have data backups in place. The Royal Canadian Mounted Police and the Office of the Privacy Commissioner have been engaged to follow up on whatever data may have been exfiltrated.

There is no word on potential culprits as of yet.

Why is credential stuffing still an issue in 2020?

Though one might assume that something this simple and well-documented would be on the wane, credential stuffing attacks have actually been on the rise recently — particularly in select industries. Often driven by botnets and cloud computing resources, credential stuffing attacks are relatively low-tech and low-effort making them available to even unsophisticated criminal operators. The main reason that they linger is that, in spite of years of cybersecurity professionals shouting from the rooftops, most people still refuse to stop using the same passwords across multiple sites and in general practice poor security hygiene.

The increased personal internet use and greatly increased amount of remote work being done due to the Covid-19 pandemic also appears to have exacerbated the situation in recent months. A recent Akamai report shows that credential stuffing attacks during the pandemic months are at a rate comparable to what is seen during the annual spikes that accompany each holiday shopping season.

As CEO of Gurucul Saryu Nayyar points out, people should at least be creating unique login credentials for accounts that contain sensitive financial and personal information: “These attacks are possible because people will often reuse credentials. While that may not be an issue for logging into a person’s favorite web forums, it should never be done with a site that houses important information. Unique, strong, passwords are the order of the day, and should be backed with multi-factor authentication. User education and good password hygiene helps mitigate attacks like this, but they will happen, which means organizations will still need to bolster their internal defenses.”

However, the Akamai report indicates that it’s important to not overlook the seemingly low-hanging fruit either. About 20% of compromised accounts are those of some sort of streaming media service, the sort of thing that people often see as something not worth the trouble to secure properly (and even actively sharing credentials amongst multiple parties). But there are a number of substantial negative consequences: theft of payment information, exposure of personal information that can be used in scams, and hijacking of smart devices to participate in a botnet or be used as an entry point for movement through a home or business network.

Given that the human element is a consistent weak point and is not showing signs of improving any time soon, defense against credential stuffing attacks would seem to fall heavily at the organizational end. Fortunately, there are a number of options available. Since these attacks rely heavily on “plug and play” botnet structures, mitigation of bot activity is one of the biggest areas of focus. This can take a number of forms, CAPTCHA and device fingerprinting being two of the most common. On the subject of organizational measures, Anurag Kahol, CTO and co-founder of Bitglass, adds: “Organizations must implement tools that enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties. These capabilities will all help prevent attackers from accessing sensitive information and performing actions such as stealing COVID-19 relief payments.”

About 1/3 of the compromised GCKey accounts were used to fraudulently access government services, exposing personal and financial information. #cybersecurity #respectdataClick to Tweet

Of course, end user education and awareness cannot be given up on even if the levels of uptake tend to be disappointing. Dan Piazza, Technical Product Manager for Stealthbits Technologies, suggests focusing on raising user awareness of password management tools as a means to curb credential stuffing attacks: “Password managers allow users to diversify their passwords, generate complex passwords, and rotate those passwords, all while only needing to remember a single password to log-in to the service and use these passwords. Even better, any password manager worth its salt makes sure everything is encrypted, so if they’re breached your stored passwords aren’t in danger.”