CRA Site Hack
Moderator: Burnaby49
-
- A Balthazar of Quatloosian Truth
- Posts: 13806
- Joined: Mon Jul 04, 2005 7:17 pm
CRA Site Hack
Saw in a news clip that CRA had been hacked and that they had to shut down their webpage interface while they dealt with it.
The fact that you sincerely and wholeheartedly believe that the “Law of Gravity” is unconstitutional and a violation of your sovereign rights, does not absolve you of adherence to it.
-
- Trivial Observer of Great War
- Posts: 1327
- Joined: Mon Aug 11, 2014 2:44 pm
Re: CRA Site Hack
Yup, a straight forward credential stuffing attack and I even have a fairly good idea how they did it.
1. Much of the interaction between an individual and the federal government is done through what is known as a GC Key account. You can apply for various programs, check the progress of your application, and generally file fairly mundane paperwork. Who really cares what the government paid me for my pension but myself. Anything that might allow you to cheat has a lot of checks on it. The security on the GC Key web sites is therefore fairly low.
2. One issue with the GC Key account is that if you ever forget your password you're hooped. I haven't hit my GC Key account for 18 years and discovered this a few months ago.
3. So here's a solution, you can log in to your GC Key account through your higher security CRA account and vise versa. Sounds really helpful. As a point of information, every tax payer has a CRA account but not everyone has set it up so they can access it online.
4. One issue, the Canadian government decided in their wisdom that they would not do any checks on people who were applying for Zombie disease relief which you do through the CRA web site. After all, they can easily catch the cheaters come next tax year.
5. So if you want to make a fast buck, purchase a list of hacked Canadian email addresses and passwords, probably ancient. Hit a GC Key web site with this list until you get in for one individual. Transfer to the CRA web site, apply for zombie disease relief for that person, and change the direct deposit information to your own account.
6. CRA will send the individual an email saying that their information has changed but by that time the money has allready been deposited or it may be a "dead" email account that the individual no longer even checks.
This whole scam depends on the fact that many people use the same password for many different sites. So somebody has hacked your password for some Cougar dating site. Doesn't sound like an issue until that hacker uses that password to get money in your name. BTW, the hackers managed to get into roughly 12,000 GC Key accounts. 5000 or so of them had a CRA account they could get into. Easy way to make around 10 M$.
1. Much of the interaction between an individual and the federal government is done through what is known as a GC Key account. You can apply for various programs, check the progress of your application, and generally file fairly mundane paperwork. Who really cares what the government paid me for my pension but myself. Anything that might allow you to cheat has a lot of checks on it. The security on the GC Key web sites is therefore fairly low.
2. One issue with the GC Key account is that if you ever forget your password you're hooped. I haven't hit my GC Key account for 18 years and discovered this a few months ago.
3. So here's a solution, you can log in to your GC Key account through your higher security CRA account and vise versa. Sounds really helpful. As a point of information, every tax payer has a CRA account but not everyone has set it up so they can access it online.
4. One issue, the Canadian government decided in their wisdom that they would not do any checks on people who were applying for Zombie disease relief which you do through the CRA web site. After all, they can easily catch the cheaters come next tax year.
5. So if you want to make a fast buck, purchase a list of hacked Canadian email addresses and passwords, probably ancient. Hit a GC Key web site with this list until you get in for one individual. Transfer to the CRA web site, apply for zombie disease relief for that person, and change the direct deposit information to your own account.
6. CRA will send the individual an email saying that their information has changed but by that time the money has allready been deposited or it may be a "dead" email account that the individual no longer even checks.
This whole scam depends on the fact that many people use the same password for many different sites. So somebody has hacked your password for some Cougar dating site. Doesn't sound like an issue until that hacker uses that password to get money in your name. BTW, the hackers managed to get into roughly 12,000 GC Key accounts. 5000 or so of them had a CRA account they could get into. Easy way to make around 10 M$.
-
- Admiral of the Quatloosian Seas
- Posts: 275
- Joined: Mon Apr 06, 2015 11:43 pm
- Location: Turtle Island
Re: CRA Site Hack
I was going to say that the thread's subject line is misleading.
The site wasn't "hacked" at all. This is just people being stupid and reusing their credentials over various sites.
If they had used them at MyFitnessPal or something that was hacked, the scammers just used the same ones on the CRA site as you described. Quite brilliant really playing off of people's stupidity or ignorance.
Here's a clue for online safety that prevents this kind of thing (among others like weak passwords):
LastPass password manager.
The site wasn't "hacked" at all. This is just people being stupid and reusing their credentials over various sites.
If they had used them at MyFitnessPal or something that was hacked, the scammers just used the same ones on the CRA site as you described. Quite brilliant really playing off of people's stupidity or ignorance.
Here's a clue for online safety that prevents this kind of thing (among others like weak passwords):
LastPass password manager.
-
- Admiral of the Quatloosian Seas
- Posts: 275
- Joined: Mon Apr 06, 2015 11:43 pm
- Location: Turtle Island
Re: CRA Site Hack
Correct horse battery staple
/XKCD
/XKCD