Used cars? Try used car accounts: 15,000 up for grabs online at just $2 a pop

Researchers person recovered almost 15,000 automotive accounts for waste online and pointed astatine a credential-stuffing onslaught that targeted car makers.

The squad astatine Kasada did not sanction nan car manufacturers successful question, only saying that nan first 10,000 accounts "targeted a single, ample European automotive shaper pinch motorists and vehicles domiciled wrong nan US."

Researchers discovered nan stolen accounts successful a backstage group connected OTT app Telegram, which soon expanded to see accounts from 2 awesome US car makers, bringing nan full number for waste to astir 15,000.

And nan price? $2 per account. Significantly, nan VIN (vehicle recognition number) was included successful nan sale. This represented nan first clip nan Kasada squad had seen specified accusation disposable for purchase.

While purchasing individual accusation has agelong been possible, getting clasp of a car's personality represents a caller avenue toward profit for criminals.

A VIN tin beryllium utilized to create replica licence accusation that tin past beryllium applied to stolen cars; it tin beryllium utilized for nefarious registration purposes and, successful immoderate cases, to link to a car maker's mobile app to unlock a conveyance aliases execute different activities.

All mode of fraud is besides possible, including indebtedness fraud – wherever criminals mightiness usage nan accusation to necktie a indebtedness to a car – aliases personality fraud, wherever nan VIN and stolen relationship credentials are utilized to reset a car relationship from wherever accusation specified arsenic nan names of drivers, telephone numbers, and beingness reside tin beryllium extracted.

• BMW deems drivers worthy of warmth, ends heated car spot subscription
• Power grids tremble arsenic electrical conveyance maturation group to accelerate 19% adjacent year
• Nikola recalls electrical motortruck fleet complete artillery fires
• Ford SYNC 3 infotainment susceptible to drive-by Wi-Fi hijacking

As Reg readsers know, a credential-stuffing onslaught occurs erstwhile criminals usage automation to log into accounts pinch stolen credentials. The method exploits users' wont of reusing nan aforesaid password complete aggregate sites. The squad astatine Kasada said: "A mini percent of nan stolen credentials 'work' and let nan attacker to successfully return complete accounts pinch morganatic login credentials."

Once in, nan process of extracting information, specified arsenic nan conveyance make, exemplary and VIN, is besides automated to velocity things along.

The investigation comes a week aft Mozilla declared cars from 25 automakers "data privateness nightmares connected wheels." Kasada's findings show that arsenic good arsenic knowing nan information being collected by cars, customers should besides beryllium wary of relationship configuration astatine car makers.

Kasada noted that credential-stuffing attacks affected each industries owed to customers reusing passwords. Not helping is nan quality of services specified arsenic AI-enabled CAPTCHA bypasses to thief criminals dodge anti-bot detection.

Solutions see customers considering password managers to forestall password reuse aliases implementing multi-factor authentication (MFA) connected accounts. While nan second is not a metallic bullet, it does make things much challenging for attackers. ®