On June 7th, we discovered that the personal information of 10 million U.S. car owners had been exposed in a massive leak of car vehicle identification numbers (VINs).
The database, which has now been exposed online for more than 137 days, contains sensitive and potentially valuable information like name, address, phone number and birth date. The vehicle details refer to car VINs and additional information such as model, year and mileage. It even includes sales details like the amount and payment specifics.
The database was left online with no authentication, which means that anybody could scan the Internet, find the database and then download sensitive information without restriction.
Many cybercriminals are selling this data to car thieves who use it to obtain unique vehicle identifiers and clone the VINs to make stolen cars appear perfectly legal. They simply create a new VIN plate and a fake title both of which will pass standard inspection and then sell the car to an unsuspecting buyer who will not discover the fraud until the new registration is processed.
A similar recent case involved a Tijuana motorcycle club who used a compromised VIN database to rustle 150 Jeep Wranglers through a fraudulent resale cycle before they were apprehended.
Others are using the data for identity theft and identity fraud.
The leak should serve as both a warning to consumers and a reminder to auto dealerships and everyone who maintains data online about the importance of information protection and employee training to guard against inadvertent leaks. As cybercriminals continue to develop increasingly sophisticated techniques that combine online data with offline crimes, raw data such as the VIN files are highly prized.
Now with the advent of Athena, the latest Wikileaked advanced Windows malware in the wild and exploits being built by the hour, we can be sure that there will be an increased wave of attacks on all data everywhere. Created by the NSA and privately contracting cybersecurity experts, it is able to target all versions of the Microsoft Windows operating system, completely take it over and steal whatever data it chooses, then delete what it wants and upload more malware.
“Athena” as it is known, infests a computer with malware that sets up beacons which are able to control all of the functions of an operating system through remote instructions. This means that whoever is controlling Athena is able to change configuration and task handling, memory loading and unloading of malicious payloads for specific tasks and the manage the delivery and retrieval of files to and from a specified directory on the infected system.
In other words, Athena places the complete control of the targeted computer in the hands of a remote operator without any possibility of being detected.
We now have two known cases of what I call “Government Sponsored Malware” or GSM, where our own government agencies have developed deadly strains of malware that attack vulnerabilities in Windows software known only to those agencies and un-reported to the software vendor. Athena follows the release of WannaCry, and both are brought to you by those zany folks at the NSA.
In the next few weeks we will see an abundance of attacks using both WannaCry and Athena strains of malware. I suspect the rate of data exfiltration will be enormous and the damage will be catastrophic.
All businesses must do much more to protect customer data and the details of the products and services they sell. If you as a business owner continue to ignore or delay addressing your cyber-vulnerabilities, the Federal government will step in and do it for you.
Trust me. You won’t like it.