[BreachExchange] FBI: Credential Stuffing Attacks on Grocery and Food Delivery Services

Thu Aug 19 11:27:17 EDT 2021

https://www.ehackingnews.com/2021/08/fbi-credential-stuffing-attacks-on.html

According to the FBI, hackers are hacking online accounts at grocery shops,
restaurants, and food delivery services using credential stuffing attacks
to empty customer cash through fake orders and obtain personal or financial
details.

The warning comes from the agency's Cyber Division, FBI Private Industry
Notification issued last week to firms in the US food and agriculture
fields. According to the agency, cybercriminal gangs are logging into
customer accounts at grocery and food delivery services using username and
password combinations stolen from other firms' breaches, in the hopes that
customers have repeated credentials across accounts.

Credential stuffing attacks use automated tools and proxy botnets to
distribute the attacks across a wide range of IP addresses and obscure the
attackers' location. Due to billions of user credentials being exposed
online, credential stuffing attacks have become prevalent across a wide
number of trade verticals over the last decade. Most supermarket,
restaurant, and food delivery accounts include a reward points program and
generally retain payment card information, as a result, cybercriminals have
been concentrating their efforts on these accounts in the last year.

Since July 2020, the FBI has received reports of multiple instances:
“As of February 2021, identified US-based food company suffered a
credential stuffing attack that affected 303 accounts through customers’
emails. The cyber actors used six of the compromised accounts to make
purchases through the US-based company; however, the US-based company
canceled and flagged one of the orders as fraudulent. The US-based company
suffered a financial loss of $200,000 due to the fraudulent orders.

In October 2020, customers of a restaurant chain reported orders
fraudulently charged to their accounts as the result of a credential
stuffing attack. The company reimbursed the customers for the fraudulent
charges. Another restaurant chain experienced a credential stuffing attack
in April 2019. Customers posted on social media that their payment cards
had been used to pay for food orders placed at restaurants.

In July 2020, customers' personal information of a grocery delivery company
was being sold on the dark web. The information from approximately 280,000
accounts included names, partial credit card numbers, and order history.
The company received customer complaints about fraudulent orders and
believed the activity was the result of credential stuffing.”

Furthermore, independent research from threat intelligence firm DarkOwl
revealed an increase in the number of underground advertisements promising
access to restaurant and food delivery accounts, a surge that appears to
have occurred after the COVID-19 pandemic began in early 2020.

As more people are confined at home and have to order meals online, the
demand for food delivery accounts has increased as fraudsters try to dine
at someone else's cost. According to the FBI, victim firms are typically
unaware of any intrusions until customers report strange activity on their
accounts, such as food orders for pick-ups that they did not place.

FBI also states that in the majority of cases, thieves got access to
individual accounts using basic tactics such as credential stuffing. The
agency now demands businesses to enhance their security defenses against
such assaults. They are also advising businesses to be on the lookout for
signs of a credential stuffing attack and to develop a multi-layered
mitigation strategy.

Signs of a credential stuffing attack include:
-an unexpectedly high number of unsuccessful logins via the online account
portal
-a higher than usual lockout rate and/or a flow of customer calls regarding
account lockouts and unauthorized changes

Recommended mitigations:
• Inform customers and workers about the program, emphasizing the need to
use different passwords for different accounts and change passwords
regularly.
• Advise consumers to keep an eye on their accounts for illegal access,
changes, and unusual activity; usernames and passwords should be changed if
the account is compromised or if fraud is suspected.
• Set up Two-Factor or Multi-Factor Authentication while creating or
upgrading an account.
• Create corporate policies that require contacting the account's owner to
verify any changes to the account's details.
• Utilize anomaly detection tools to spot unexpected traffic spikes and
unsuccessful login attempts. Consider using CAPTCHA to counter automated
scripts or bots.
• Develop policies for device fingerprinting and IP blacklisting.
• Use both a PIN code and a password.
• Keep an eye out for lists of leaked user IDs and passwords on the dark
web, and run tests to see if current user accounts are vulnerable to
credential stuffing attacks.

Furthermore, owners of hacked accounts should be informed that if financial
data was saved in their account and not secured, they may need to verify
payment card balances. In addition to selling access to compromised
accounts, DarkOwl reported last year that some hackers profited from
selling or openly sharing step-by-step guidelines on how to execute return
policy fraud.

Although refund policy fraud may not pose a direct threat to end customers,
food delivery firms should be cautious of these sorts of scams as well,
even if the FBI has not issued a warning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210819/2a84777b/attachment.html>