[TheRecord] FBI warns of credential stuffing attacks against grocery and food delivery services

The FBI says that hackers are using credential stuffing attacks to hijack online accounts at grocery stores, restaurants, and food delivery services in order to drain user funds through fraudulent orders and to steal personal or financial data.

The warning comes via an FBI Private Industry Notification the agency’s Cyber Division sent last week to companies in the US food and agricultural sectors.

The agency said that cybercriminal groups are using username and password combos obtained through breaches at other companies to log into customer accounts at grocery and food delivery services, hoping that users had reused passwords across accounts.

These intrusions, known as credential stuffing attacks, are usually carried out using automated tools and proxy botnets in order to spread the attacks over a large pool of IP addresses and disguise the attackers’ location.

With billions of user credentials having been leaked online following security breaches over the past decade, credential stuffing attacks are now common across a wide spectrum of industry verticals.

Because most grocery, restaurants, and food delivery accounts tend to run a reward points program and typically store payment card information, cybercrime groups started focusing their efforts on hijacking these types of accounts over the past year.

The FBI said it received reports of several incidents that have taken place since July 2020:

As of February 2021, an identified US-based food company suffered a credential stuffing attack that affected 303 accounts through customers’ emails. The cyber actors used six of the compromised accounts to make purchases through the US-based company; however, the US-based company canceled and flagged one of the orders as fraudulent. The US-based company suffered a financial loss of $200,000 due to the fraudulent orders.In October 2020, customers of a restaurant chain reported orders fraudulently charged to their accounts as the result of a credential stuffing attack. The company reimbursed the customers for the fraudulent charges. Another restaurant chain experienced a credential stuffing attack in April 2019. Customers posted on social media that their payment cards had been used to pay for food orders placed at restaurants.In July 2020, the personal information of customers of a grocery delivery company was being sold on the dark web. The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the activity was the result of credential stuffing.

In addition, independent reporting from threat intelligence company DarkOwl also noted a rise in the number of underground ads offering access to restaurant and food delivery accounts, a spike that appears to have taken place since the onset of the COVID-19 pandemic in early 2020.

With more users now stuck in their homes and having to order online, the demand for food delivery accounts has risen as miscreants have sought to eat on someone else’s dime.

Image: DarkOwl
Image: DarkOwl

The FBI said that in these incidents, and others, victim companies are often unaware of any compromises until customers complain of suspicious activities on their accounts, such as food orders for pick-ups that they didn’t place.

While hackers can gain access to these types of accounts by breaching the online food ordering platforms itself—as it was recently the case—the FBI said that in most incidents, cybercriminals gained access to individual accounts through basic techniques like credential stuffing.

Now, the agency wants companies to improve their security defenses against these types of attacks. The FBI is now urging companies to keep on eye out on indicators of a credential stuffing attack and work on deploying a multi-layered mitigation strategy:

Indicators of a credential stuffing attack:

an unusually high number of failed logins, possibly in the millions, from a diverse range of IP addresses via the online account portal;a higher than usual lockout rate and/or an influx of customer calls regarding account lockouts and unauthorized changes;

Recommended mitigations:

Educate customers and employees about this scheme, advising them to use unique passwords for various accounts and to change passwords regularly.Advise customers to actively monitor their accounts for unauthorized access, modification, and anomalous activities; usernames and passwords should be changed upon identification of account compromise or fraud.Establish Two-Factor or Multi-Factor Authentication for creating and updating account information.Establish company policies to contact the owner of an account to verify any changes to existing account information. Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts. To combat automated scripts or bots, consider deployment of a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), which requires users to confirm they are not running automated scripts by performing an action to prove they are human.Establish device fingerprinting and IP blacklisting policies.Use a PIN code and password together. The PIN code is a second piece of information the cyber actor would need to know, thus increasing the difficulty for unauthorized individuals to access the account.Monitor the dark web for lists of leaked user IDs and passwords, and perform tests to evaluate whether current user accounts are susceptible to credential stuffing attacks.

Other threats to be aware off

In addition, owners of hacked accounts should also be aware that if financial data was stored in their account and was unprotected, they might also need to check payment card balances and look into some form of identity fraud protection.

Furthermore, besides selling access to hacked accounts, DarkOwl also noted last year that some cybercriminals have also been making money by selling or freely sharing step-by-step guides on how to perform refund policy fraud.

Refund policy fraud is not a direct threat to end-consumers, but companies in the food delivery sector should be aware of these types of schemes as well, even if the FBI has not specifically warned against them.

Image: DarkOwl

The FBI’s PIN alert last week marks the second time that the agency warns an industry vertical about a wave of credential stuffing attacks after it previously warned the banking and financial sector in September 2020.

The post FBI warns of credential stuffing attacks against grocery and food delivery services appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Apple Security Flaw: How do ‘Zero-Click’ Attacks Work?

All posts, Security Week

Apple has spent the past week rushing to develop a fix for a major security flaw which allows spyware to be downloaded on an iPhone or iPad without the owner even clicking a button. But how do such “zero-click” attacks work, and can they be stopped? read more Source: Read More (SecurityWeek RSS Feed)

Read More

Daily NCSC-FI news followup 2021-07-26

iOS 14.7.1: Apple Issues Urgent iPhone Update With Important Security Fixes www.forbes.com/sites/kateoflahertyuk/2021/07/26/ios-1471-apple-issues-urgent-iphone-update-with-important-security-fixes/ Its only been a week since Apple released iOS 14.7, which itself included critical security fixes, but did not address a vulnerability in iMessage that adversaries could have been taking advantage of to attack iPhones with the Pegasus spyware. Researchers warn of unpatched […]

Read More

[SANS ISC] ISC Stormcast For Wednesday, September 8th, 2021 https://isc.sans.edu/podcastdetail.html?id=7662, (Wed, Sep 8th)

All posts, Sans-ISC

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.