FBI: Credential Stuffing Attacks on Grocery and Food Delivery Services

According to the FBI, hackers are hacking online accounts at grocery shops, restaurants, and food delivery services using credential stuffing attacks to empty customer cash through fake orders and obtain personal or financial details. 

The warning comes from the agency’s Cyber Division, FBI Private Industry Notification issued last week to firms in the US food and agriculture fields. According to the agency, cybercriminal gangs are logging into customer accounts at grocery and food delivery services using username and password combinations stolen from other firms’ breaches, in the hopes that customers have repeated credentials across accounts. 

Credential stuffing attacks use automated tools and proxy botnets to distribute the attacks across a wide range of IP addresses and obscure the attackers’ location. Due to billions of user credentials being exposed online, credential stuffing attacks have become prevalent across a wide number of trade verticals over the last decade. Most supermarket, restaurant, and food delivery accounts include a reward points program and generally retain payment card information, as a result, cybercriminals have been concentrating their efforts on these accounts in the last year. 

Since July 2020, the FBI has received reports of multiple instances: 

“As of February 2021, identified US-based food company suffered a credential stuffing attack that affected 303 accounts through customers’ emails. The cyber actors used six of the compromised accounts to make purchases through the US-based company; however, the US-based company canceled and flagged one of the orders as fraudulent. The US-based company suffered a financial loss of $200,000 due to the fraudulent orders. 

In October 2020, customers of a restaurant chain reported orders fraudulently charged to their accounts as the result of a credential stuffing attack. The company reimbursed the customers for the fraudulent charges. Another restaurant chain experienced a credential stuffing attack in April 2019. Customers posted on social media that their payment cards had been used to pay for food orders placed at restaurants. 

In July 2020, customers’ personal information of a grocery delivery company was being sold on the dark web. The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the activity was the result of credential stuffing.” 

Furthermore, independent research from threat intelligence firm DarkOwl revealed an increase in the number of underground advertisements promising access to restaurant and food delivery accounts, a surge that appears to have occurred after the COVID-19 pandemic began in early 2020. 

As more people are confined at home and have to order meals online, the demand for food delivery accounts has increased as fraudsters try to dine at someone else’s cost. According to the FBI, victim firms are typically unaware of any intrusions until customers report strange activity on their accounts, such as food orders for pick-ups that they did not place. 

FBI also states that in the majority of cases, thieves got access to individual accounts using basic tactics such as credential stuffing. The agency now demands businesses to enhance their security defenses against such assaults. They are also advising businesses to be on the lookout for signs of a credential stuffing attack and to develop a multi-layered mitigation strategy.

Signs of a credential stuffing attack include: 

-an unexpectedly high number of unsuccessful logins via the online account portal 

-a higher than usual lockout rate and/or a flow of customer calls regarding account lockouts and unauthorized changes 

• Inform customers and workers about the program, emphasizing the need to use different passwords for different accounts and change passwords regularly. 

• Advise consumers to keep an eye on their accounts for illegal access, changes, and unusual activity; usernames and passwords should be changed if the account is compromised or if fraud is suspected. 

• Set up Two-Factor or Multi-Factor Authentication while creating or upgrading an account. 

• Create corporate policies that require contacting the account’s owner to verify any changes to the account’s details. 

• Utilize anomaly detection tools to spot unexpected traffic spikes and unsuccessful login attempts. Consider using CAPTCHA to counter automated scripts or bots. 

• Develop policies for device fingerprinting and IP blacklisting. 

• Use both a PIN code and a password. 

• Keep an eye out for lists of leaked user IDs and passwords on the dark web, and run tests to see if current user accounts are vulnerable to credential stuffing attacks. 

Furthermore, owners of hacked accounts should be informed that if financial data was saved in their account and not secured, they may need to verify payment card balances. In addition to selling access to compromised accounts, DarkOwl reported last year that some hackers profited from selling or openly sharing step-by-step guidelines on how to execute return policy fraud. 

Although refund policy fraud may not pose a direct threat to end customers, food delivery firms should be cautious of these sorts of scams as well, even if the FBI has not issued a warning.