The FBI is warning of an uptick in credential stuffing attacks targeting grocery stores, restaurants, and food delivery services. Threat actors are using usernames and passwords obtained from other breaches to break into these services since they commonly have rewards points and included payment information. The COVID-19 pandemic has seen a dramatic increase in the use of food and grocery delivery services and threat actors have picked up on this trend as well. Incident reports received by the FBI since July of 2020 include:
- As of February 2021, an identified US-based food company suffered a credential stuffing attack that affected 303 accounts through customers’ emails. The cyber actors used six of the compromised accounts to make purchases through the US-based company; however, the US-based company canceled and flagged one of the orders as fraudulent. The US-based company suffered a financial loss of $200,000 due to the fraudulent orders.
- In October 2020, customers of a restaurant chain reported orders fraudulently charged to their accounts as the result of a credential stuffing attack. The company reimbursed the customers for the fraudulent charges. Another restaurant chain experienced a credential stuffing attack in April 2019. Customers posted on social media that their payment cards had been used to pay for food orders placed at restaurants.
- In July 2020, the personal information of customers of a grocery delivery company was being sold on the dark web. The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the activity was the result of credential stuffing.
Darkowl has also noticed an increase in the number of food delivery service accounts being sold on criminal forums over the past year as well. A lot of the time these companies will not be aware something like this is going until a victim has complained
The FBI has released some mitigation tactics for businesses and individuals that may reduce the likelihood of this happening in the future.
How companies can spot potential credential stuffing attacks:
• an unusually high number of failed logins, possibly in the millions, from a diverse range of IP addresses via the online account portal.
• a higher than usual lockout rate and/or an influx of customer calls regarding account lockouts and unauthorized changes.
• Educate customers and employees about this scheme, advising them to use unique passwords for various accounts and to change passwords regularly.
• Advise customers to actively monitor their accounts for unauthorized access, modification, and anomalous activities; usernames and passwords should be changed upon identification of account compromise or fraud.
• Establish Two-Factor or Multi-Factor Authentication for creating and updating account information.
• Establish company policies to contact the owner of an account to verify any changes to existing account information.
• Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts. To combat automated scripts or bots, consider deployment of a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), which requires users to confirm they are not running automated scripts by performing an action to prove they are human.
• Establish device fingerprinting and IP blacklisting policies.
• Use a PIN code and password together. The PIN code is a second piece of information the cyber actor would need to know, thus increasing the difficulty for unauthorized individuals to access the account
• Monitor the dark web for lists of leaked user IDs and passwords and perform tests to evaluate whether current user accounts are susceptible to credential stuffing attacks.