It costs about $1,000 to purchase a person’s identity on the dark web from stolen financial accounts. Why pay $1,000 when it’s only $2 to steal a car’s identity and still make a hefty profit?
Kasada’s Threat Research team found evidence that a successful credential stuffing attack may have been performed against large automotive manufacturers, leaving accounts exposed to fraud and theft. Automated account takeover (ATO) provides bad actors with access to personal information as well as vehicle data such as car make, model, registered user, address, and vehicle identification number (VIN). These customer accounts are then resold illegally within private Telegram communities for profit.
In addition to enabling identity theft, it also provides information for criminals to target theft of particular car makes and models, register stolen vehicles, and take over GPS-enabled mobile apps.
Why Walk When You Can Drive?
From Sneakers to Cars
Much of the botting ecosystem has evolved from scalper bots used to purchase in-demand items such as sneakers, tickets, and gaming consoles. The legality of such bots is gray - whereby the use of bots for tickets is illegal (albeit loosely enforced via BOTS Act of 2016), but other goods and services are not.
The sophistication of these bots used to snag sneakers has shifted to online fraud. The same bots can be easily repurposed to test stolen user credentials and perform account takeover (ATO). Using bots to commit ATO has been an unfortunate reality for most retailers to steal credit cards, gift cards, and loyalty points. However, attackers have realized the profit that can be made by cracking non-retail accounts as well. For example, last year Kasada observed the use of bots to obtain and resell online pharmacy accounts to purchase active subscriptions for controlled substances, such as Adderall and Oxycodone.



