FBI warns of credential stuffing attacks against grocery and food delivery services

The FBI says that hackers are using credential stuffing attacks to hijack online accounts at grocery stores, restaurants, and food delivery services in order to drain user funds through fraudulent orders and to steal personal or financial data.

The warning comes via an FBI Private Industry Notification the agency's Cyber Division sent last week to companies in the US food and agricultural sectors.

The agency said that cybercriminal groups are using username and password combos obtained through breaches at other companies to log into customer accounts at grocery and food delivery services, hoping that users had reused passwords across accounts.

These intrusions, known as credential stuffing attacks, are usually carried out using automated tools and proxy botnets in order to spread the attacks over a large pool of IP addresses and disguise the attackers' location.

With billions of user credentials having been leaked online following security breaches over the past decade, credential stuffing attacks are now common across a wide spectrum of industry verticals.

Because most grocery, restaurants, and food delivery accounts tend to run a reward points program and typically store payment card information, cybercrime groups started focusing their efforts on hijacking these types of accounts over the past year.

The FBI said it received reports of several incidents that have taken place since July 2020:

In addition, independent reporting from threat intelligence company DarkOwl also noted a rise in the number of underground ads offering access to restaurant and food delivery accounts, a spike that appears to have taken place since the onset of the COVID-19 pandemic in early 2020.

With more users now stuck in their homes and having to order online, the demand for food delivery accounts has risen as miscreants have sought to eat on someone else's dime.

The FBI said that in these incidents, and others, victim companies are often unaware of any compromises until customers complain of suspicious activities on their accounts, such as food orders for pick-ups that they didn't place.

While hackers can gain access to these types of accounts by breaching the online food ordering platforms itself—as it was recently the case—the FBI said that in most incidents, cybercriminals gained access to individual accounts through basic techniques like credential stuffing.

Now, the agency wants companies to improve their security defenses against these types of attacks. The FBI is now urging companies to keep on eye out on indicators of a credential stuffing attack and work on deploying a multi-layered mitigation strategy:

Indicators of a credential stuffing attack:

• an unusually high number of failed logins, possibly in the millions, from a diverse range of IP addresses via the online account portal;
• a higher than usual lockout rate and/or an influx of customer calls regarding account lockouts and unauthorized changes;

Recommended mitigations:

• Educate customers and employees about this scheme, advising them to use unique passwords for various accounts and to change passwords regularly.
• Advise customers to actively monitor their accounts for unauthorized access, modification, and anomalous activities; usernames and passwords should be changed upon identification of account compromise or fraud.
• Establish Two-Factor or Multi-Factor Authentication for creating and updating account information.
• Establish company policies to contact the owner of an account to verify any changes to existing account information. 
• Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts. To combat automated scripts or bots, consider deployment of a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), which requires users to confirm they are not running automated scripts by performing an action to prove they are human.
• Establish device fingerprinting and IP blacklisting policies.
• Use a PIN code and password together. The PIN code is a second piece of information the cyber actor would need to know, thus increasing the difficulty for unauthorized individuals to access the account.
• Monitor the dark web for lists of leaked user IDs and passwords, and perform tests to evaluate whether current user accounts are susceptible to credential stuffing attacks.

Other threats to be aware off

In addition, owners of hacked accounts should also be aware that if financial data was stored in their account and was unprotected, they might also need to check payment card balances and look into some form of identity fraud protection.

Furthermore, besides selling access to hacked accounts, DarkOwl also noted last year that some cybercriminals have also been making money by selling or freely sharing step-by-step guides on how to perform refund policy fraud.

Refund policy fraud is not a direct threat to end-consumers, but companies in the food delivery sector should be aware of these types of schemes as well, even if the FBI has not specifically warned against them.

The FBI's PIN alert last week marks the second time that the agency warns an industry vertical about a wave of credential stuffing attacks after it previously warned the banking and financial sector in September 2020.