[BreachExchange] CRA shuts down online services after thousands of accounts breached in cyberattacks

Destry Winant destry at riskbasedsecurity.com
Mon Aug 17 10:13:07 EDT 2020


https://www.cbc.ca/news/politics/canada-revenue-agency-cra-cyberattack-1.5688163

The Canada Revenue Agency has temporarily shut down its online
services after the agency confirmed it was recently hit by two
cyberattacks that compromised thousands of accounts linked to its
services.

While the breaches have been contained, services connected to My
Account, My Business Account and Represent a Client on the CRA website
have been disabled as an additional safety measure.

The shutdown means that anyone attempting to apply for emergency
COVID-19 benefits, such as the Canada Emergency Response Benefit or
the Canada Emergency Student Benefit, will be unable to do so until
further notice.

The agency said Saturday that as of Aug. 14, about 5,500 accounts had
been affected by the separate attacks.

"The CRA quickly identified the impacted accounts and disabled access
to these accounts to ensure the safety and security of the taxpayer's
information," CRA spokesperson Christopher Doody wrote in an email.
"The CRA is continuing to analyze both incidents. Law enforcement
assistance has been requested from RCMP and an investigation has been
initiated."

Canadians attempting to log in to their Canada Revenue Agency accounts
are met with a message informing them that they will not be able to
access their accounts until further notice. (CBC News)

The admission came after repeated inquiries from CBC News after CBC
noticed a pattern of similar hacks occurring over the past two weeks.

Earlier this month, Canadians began reporting online that email
addresses associated with their CRA accounts had been changed, that
their direct deposit information was altered and that CERB payments
had been issued in their name even though they had not applied for the
COVID-19 benefit.

Most reported that they were first alerted to the suspicious activity
after receiving legitimate emails from the CRA confirming that their
email addresses had been discontinued.

Attacks based on reused usernames, passwords

The incidents are a type of attack known as "credential stuffing," the
Treasury Board's Office of the Chief Information Officer shared in a
statement.

"These attacks, which used passwords and usernames collected from
previous hacks of accounts worldwide, took advantage of the fact that
many people reuse passwords and usernames across multiple accounts."

B.C. woman caught CERB scammer in the act, but getting action from
officials is the hardest part

Toronto woman's CERB payments on hold after fraudster makes EI claim in her name

Aside from CRA accounts, thousands of others linked to GCKey — a
secure portal that allows Canadians to access government services
online — were also affected.

"Of the roughly 12 million active GCKey accounts in Canada, the
passwords and usernames of 9,041 users were acquired fraudulently and
used to try and access government services, a third of which accessed
such services and are being further examined for suspicious activity,"
the statement read.

Compromised accounts connected to that platform, which is used by
about 30 federal departments, were shut down when the threat was first
discovered.

The Canada Revenue Agency has shut down its online services after
5,500 people had their CRA accounts hacked. Experts say the thieves
are after emergency funds meant for pandemic relief, but there are
doubts about CRA's claim that people's password habits made them
vulnerable. 2:01

CERB fraud not uncommon

In an email sent to CBC News days before the CRA publicized the
attacks, the agency said there is typically an uptick in fraudulent
activity at the beginning of each CERB pay period. The most recent
period started Aug. 2.

The Canadian Anti-Fraud Centre has already received more than 700
reports of identity fraud connected to the federal emergency response
benefit. Resolving a fraud attempt can sometimes be a lengthy process
for victims that can see them frozen out of receiving other benefits
until their accounts are restored.

RCMP urges 'diligence' as identity theft linked to CERB soars

The RCMP has confirmed that its National Division, which investigates
"sensitive, high profile cases that threaten Canada's political,
economic and social integrity," is actively looking into the attacks.
The Office of the Privacy Commissioner of Canada is also monitoring
the situation.

The CRA said it is sending letters to those affected by the incidents,
explaining how to confirm their identity to regain control of their
accounts. Individuals phoning the agency for help can select the
"report suspected fraud or identity theft" option to fast-track their
call.

Canada's cyber intelligence agency recommends that anyone affected by
the breach update their passwords immediately and choose something
they will not use for any other account.


More information about the BreachExchange mailing list