Ah, taxes. One of the two things we cannot avoid, or so the old saying goes.

Recently, the Canada Revenue Agency (CRA) suffered a data breach that cause them to shut down their public-facing web application for a few days. The CBC has an article about it that covers some of the information. There are some follow-up articles about it as well that go into a bit more detail on what happened.

What Happened?

The federal government says that just over 11,000 accounts were affected by this attack. Only those individuals who had signed up for the CRAs web portal would have been at risk. For those individuals who still use paper and pen for filling out your tax forms, you’re likely to be okay. But given the push towards doing everything online, it’s not hard to see that the majority of Canadians fall into the group that could have been affected.

What Did The Attackers Do?

The attackers were after the usual goal - money. Some victims reported that their bank account details had been switched to something else, and others also had Canada Emergency Response Benefit (CERB) payments. The notion of criminals taking advantage of free money isn’t new. Every year in the US and Canada, countless victims of tax refund fraud are targeted.

The attack appears to have been against accounts that either had weak security questions or re-used passwords across different sites. Unfortunately password breaches like this are common, and far more prevalent than many people realize. Normally these data breaches don’t make it to the news media because they are not that uncommon. Large organizations or government agencies often get the big headlines, but they’re quickly lost in the flood of other news going on.

Getting access to password data from a past breach is not difficult for criminals. For the rest of us, sites like haveibeenpwned.com offer an easy way to see if your email account has suffered a breach.

What If I’m Affected?

If you are a victim, please reach out to the Government of Canada and let them know. Check to see if you’ve applied to receive CERB payments, check your email to see if you received an email saying that the CRA was changing your email address to another one. As of this writing, you cannot change your bank account details for direct deposits online, so checking to see if that has changed will likely be a futile task.

What exactly was the attack?

This type of attack is known as a credential stuffing attack, or password spraying attack. Essentially instead of trying to brute force a single account with lots of different passwords, an attacker tries 1-2 passwords across a lot of different accounts. Since most modern websites protect against brute force attacks by locking your account temporarily after 5-10 failed login attempts, these spraying attacks never trigger this threshold.

At EliteSec, checking for protections against password spraying attacks is a standard check we do when testing web applications, along with over 100 other checks for each web application we test.

How To Protect Against This Type Of Attack

For individuals, I strongly recommend the use of a password manager. I’m a fan of 1Password myself, but others like BitWarden and LastPass are equally great options. I wouldn’t recommend using the built-in password manager of your web browser, but that’s a discussion for another blog post. Making sure that you are not re-using password will go a long way to prevent this type of attack.

For corporations that may be worried about this type of attack hitting their own systems, the best approach is to monitor your login process by IP as well as username. Since traditional brute force protections monitor usernames and not source IPs, this is often overlooked. By focusing on the total number of failed login attempts from a single IP, you have a better chance of catching and preventing this type of attack.

At EliteSec, we would be more than happy to discuss this topic further and help test your existing security controls. Contact us today!

– John