The FBI is warning of an uptick in credential stuffing attacks targeting grocery stores, restaurants, and food delivery services. Threat actors are using usernames and passwords obtained from other breaches to break into these services since they commonly have rewards points and included payment information. The COVID-19 pandemic has seen a dramatic increase in the use of food and grocery delivery services and threat actors have picked up on this trend as well. Incident reports received by the FBI since July of 2020 include:
- As of February 2021, an identified US-based food company suffered a credential stuffing attack that affected 303 accounts through customers’ emails. The cyber actors used six of the compromised accounts to make purchases through the US-based company; however, the US-based company canceled and flagged one of the orders as fraudulent. The US-based company suffered a financial loss of $200,000 due to the fraudulent orders.
- In October 2020, customers of a restaurant chain reported orders fraudulently charged to their accounts as the result of a credential stuffing attack. The company reimbursed the customers for the fraudulent charges. Another restaurant chain experienced a credential stuffing attack in April 2019. Customers posted on social media that their payment cards had been used to pay for food orders placed at restaurants.
- In July 2020, the personal information of customers of a grocery delivery company was being sold on the dark web. The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the activity was the result of credential stuffing.
Darkowl has also noticed an increase in the number of food delivery service accounts being sold on criminal forums over the past year as well. A lot of the time these companies will not be aware something like this is going until a victim has complained
