Cyberattacks Hit Thousands of Canadian Tax, Benefit Accounts

canada credential stuffing attacks

The Canada Revenue Agency (CRA) suspended online services after accounts were hit in a third wave of credential stuffing attacks this weekend – giving bad actors access to various government services.

Canadian authorities said almost 15,000 online accounts for various government services have been targeted in three recent waves of credential-stuffing attacks. These accounts could give attackers access to Canadians’ tax-related and benefits information, coronavirus relief fund money and more.

Credential-stuffing attacks are when bad actors access accounts using usernames and passwords that were stolen from other previous hacks. On a Monday press meeting, Marc Brouillard, acting CIO of the Government of Canada, said that different government accounts have been affected by three waves of credential-stuffing attacks since early August – the most recent of which occurred this past weekend.

Attackers compromised 5,500 Canada Revenue Agency (CRA) accounts, which connect to a portal enabling Canadians to view and manage their tax-related and benefits information online. They also targeted 9,041 accounts of GCKey, giving access to a portal used by 30 federal departments and 12 million Canadians, providing to access online information and government services like employment, immigration and more.

“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information, and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” according to the government of Canada, in a press release this weekend.

The Attacks

Of the 9,041 accounts GCKey accounts that were targeted, a third were used to access various services and are being further examined for suspicious activity, according to the government. These services can include employment services or coronavirus relief-funds offered by the Canada Emergency Response Benefit, which offers up to $2,000 to eligible citizens. It’s important to note that the internal services of GCKey itself were not compromised, according to Brouillard.

Affected GCKey accounts were cancelled as soon as the threat was discovered and departments are contacting users whose credentials were revoked to provide instructions on how to receive a new GCKey.

On the heels of the attacks targeting the 5,500 CRA accounts, meanwhile, the government has disabled services connected to My Account, My Business Account and Represent a Client on the CRA website. On Monday, authorities said they expect these services to be restored by Wednesday.

On Monday government officials also revealed that a vulnerability in the configuration of the security software for CRA accounts allowed attackers to bypass security measures. This flaw, which stemmed from the security questions in place for the accounts, has since been patched, they said. However, when asked for further specifics, Brouillard did not identify the security vulnerability or software.

Questions Remain Around Security Measures 

Many Canadians reported suspicious activity involving their CRA accounts going back to early August, with some taking to Twitter to say that attackers had modified their direct-deposit information and had utilized their information to apply for fraudulent coronavirus relief.

In a press meeting on Monday, Canadian government officials said they first notified the Royal Canadian Mounted Police (Canada’s federal policing service) of credential-stuffing attacks on August 11. After the third wave of attacks occurred this past weekend, the government suspended online services.

When asked why Canadians were not notified of the attacks sooner, Brouillard said: “We’re constantly evaluating our security posture…this is an ongoing challenge. This is not a hacker trying to go through a backdoor. They are going through the system like normal users… and it is hard to detect that. We have systems in place to monitor these behaviors. That is when this particular attack was identified.”

The incident has also thrust the Canadian government’s security measures for online services into question. BleepingComputer tested the Canadian government website and found that many departments did not implement multi factor-authentication measures for accessing Canadian services such as CRA or GCKey.

When asked about a lack of two-factor authentication (2FA), Brouillard acknowledged: “Some 2FA would have prevented this especially those where you’re required to have a key. But those are challenging, not everyone can have those things. It is a balancing act. We’re looking at ways of strengthening our systems.”

Preventing Credential Stuffing

The users tied to compromised accounts are all being notified of the security incident and all attacks have since been mitigated, authorities said. They encouraged users to ensure that their passwords are up-to-date. Security researchers for their part also encouraged users to prioritize password hygiene in order to avoid being a victim to credential stuffing attacks.

“Credential stuffing attacks are undeniably popular and can affect every organization, regardless of their respective sector or geography, and provide initial access to victim accounts,” Kacey Clark, threat researcher at Digital Shadows, told Threatpost. “As credential-stuffing attacks leverage password re-use, users are urged to use complex and unique passwords across all of their accounts.”

 Joseph Carson, advisory CISO at Thycotic, agreed that an important lesson learned is to never reuse passwords – and also added that any company with online services should also ensure that security protections – like 2FA – are also offered.

“Companies who offer authentication and login to their website must also move away from having a password as the only security control,” he told Threatpost. “2FA must be enabled for all customers as this reduces the risks of customers who reuse passwords from become a victim of a cybercrime or credential-stuffing from being successful. Additionally, endorse password managers to help customers make better password hygiene and decisions when creating new accounts and passwords.”

This is a breaking news story and will be updated over time.

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.

Suggested articles