Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Food Delivery Apps. Show all posts

Hackers Target Chick-fil-A Customers Credentials

Chick-fil-A- is investigating concerns of suspicious transactions on its mobile app after multiple users claimed that hackers gained their personal data, including bank account details.

Customers at Chick-fil-A, a well-known chicken restaurant business, may be the latest targets of hackers. According to a recent article in Nation's Restaurant News, the fast food chain is investigating potential hacks of mobile apps that have exposed customers' sensitive information.

According to Krebs on Security, one bank claimed it had nearly 9,000 customer card details listed in an alert sent to various financial institutions regarding a breach at an anonymous retailer that occurred between December 2, 2013, and September 30, 2014, and that Chick-fil-A locations were the only common point-of-purchase. As per Krebs, "the majority of the fraud, according to a financial source, appeared to be centered at sites in Georgia, Maryland, Pennsylvania, Texas, and Virginia."

Customers are recommended to promptly change their passwords to new ones that are distinct, complex, and therefore not used for other online platforms or accounts if they detect anything unusual.

In regard to the reports, Chick-fil-A posted a statement on social media stating that the company is aware of the matter and is working quickly to resolve it. The business does point out that it has not discovered proof that its internal security has been infiltrated by hackers or otherwise compromised.

Customers who are impacted can find information on what to do if they see any suspicious activity on their accounts, can see mobile orders placed without their consent, or discover that their loyalty points were fraudulently redeemed or used to purchase gifts on a support page on Chick-fil-One A's Membership Program customer service website.

DoorDash Data Breach Linked with Twilio Hackers

A data breach that exposed customer and staff information and was tied to the recent cyberattack on Twilio has been disclosed by the food delivery service DoorDash. 

According to DoorDash, hackers misused a vendor's access to its networks. By abusing DoorDash's internal tools, the hacker was able to access the data of a small fraction of people. 

Customers' names, email addresses, delivery addresses, and phone numbers are among the compromised data. In certain instances, basic order information and partial payment card information were also made public.

The attacker gained access to the name, phone number, or email address of Dashers—those who make deliveries. It's worth noting that an earlier data breach at DoorDash in 2019 resulted in the exposure of information on roughly 5 million consumers.

As per the spokesperson of DoorDash Justin Crowley, the unnamed third-party vendor provides services that require limited access to specific internal tools, but the vendor hack is connected to the phishing attempt that affected SMS and messaging giant Twilio on August 4.

Researchers connected these attacks to a larger phishing campaign carried out by the same hacker group known as "0ktapus," which since March has stolen nearly 10,000 employee login credentials from at least 130 businesses, including Twilio, internet companies, and outsourced customer service providers.

Twilio revealed this month that they were compromised after many employees fell for an SMS phishing scam that gave threat actors access to their internal systems. Hackers might access the data of 163 Twilio users with this access, and they could utilize that data in additional supply-chain assaults.

According to an updated Twilio security advisory, "so far, our research has identified 163 Twilio customers - out of a total customer base of over 270,000 - whose data was accessed without authorization for a limited period of time, and we have notified all of them."

Coinbase, KuCoin, Binance, Microsoft, Telus, Verizon Wireless, T-Mobile, AT&T, Sprint, Rogers, Mailgun, Slack, Box, SendGrid, Yahoo, Sykes, BestBuy, and Infosys are among the other organizations that have been attacked. None of these businesses, however, have stated if the attacks were effective.

FBI: Credential Stuffing Attacks on Grocery and Food Delivery Services


 




According to the FBI, hackers are hacking online accounts at grocery shops, restaurants, and food delivery services using credential stuffing attacks to empty customer cash through fake orders and obtain personal or financial details. 

The warning comes from the agency's Cyber Division, FBI Private Industry Notification issued last week to firms in the US food and agriculture fields. According to the agency, cybercriminal gangs are logging into customer accounts at grocery and food delivery services using username and password combinations stolen from other firms' breaches, in the hopes that customers have repeated credentials across accounts. 

Credential stuffing attacks use automated tools and proxy botnets to distribute the attacks across a wide range of IP addresses and obscure the attackers' location. Due to billions of user credentials being exposed online, credential stuffing attacks have become prevalent across a wide number of trade verticals over the last decade. Most supermarket, restaurant, and food delivery accounts include a reward points program and generally retain payment card information, as a result, cybercriminals have been concentrating their efforts on these accounts in the last year. 

Since July 2020, the FBI has received reports of multiple instances: 

“As of February 2021, identified US-based food company suffered a credential stuffing attack that affected 303 accounts through customers’ emails. The cyber actors used six of the compromised accounts to make purchases through the US-based company; however, the US-based company canceled and flagged one of the orders as fraudulent. The US-based company suffered a financial loss of $200,000 due to the fraudulent orders. 

In October 2020, customers of a restaurant chain reported orders fraudulently charged to their accounts as the result of a credential stuffing attack. The company reimbursed the customers for the fraudulent charges. Another restaurant chain experienced a credential stuffing attack in April 2019. Customers posted on social media that their payment cards had been used to pay for food orders placed at restaurants. 

In July 2020, customers' personal information of a grocery delivery company was being sold on the dark web. The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the activity was the result of credential stuffing.” 

Furthermore, independent research from threat intelligence firm DarkOwl revealed an increase in the number of underground advertisements promising access to restaurant and food delivery accounts, a surge that appears to have occurred after the COVID-19 pandemic began in early 2020. 

As more people are confined at home and have to order meals online, the demand for food delivery accounts has increased as fraudsters try to dine at someone else's cost. According to the FBI, victim firms are typically unaware of any intrusions until customers report strange activity on their accounts, such as food orders for pick-ups that they did not place. 

FBI also states that in the majority of cases, thieves got access to individual accounts using basic tactics such as credential stuffing. The agency now demands businesses to enhance their security defenses against such assaults. They are also advising businesses to be on the lookout for signs of a credential stuffing attack and to develop a multi-layered mitigation strategy.

Signs of a credential stuffing attack include: 
-an unexpectedly high number of unsuccessful logins via the online account portal 
-a higher than usual lockout rate and/or a flow of customer calls regarding account lockouts and unauthorized changes 

Recommended Mitigations: 

• Inform customers and workers about the program, emphasizing the need to use different passwords for different accounts and change passwords regularly. 
• Advise consumers to keep an eye on their accounts for illegal access, changes, and unusual activity; usernames and passwords should be changed if the account is compromised or if fraud is suspected. 
• Set up Two-Factor or Multi-Factor Authentication while creating or upgrading an account. 
• Create corporate policies that require contacting the account's owner to verify any changes to the account's details. 
• Utilize anomaly detection tools to spot unexpected traffic spikes and unsuccessful login attempts. Consider using CAPTCHA to counter automated scripts or bots. 
• Develop policies for device fingerprinting and IP blacklisting. 
• Use both a PIN code and a password. 
• Keep an eye out for lists of leaked user IDs and passwords on the dark web, and run tests to see if current user accounts are vulnerable to credential stuffing attacks. 

Furthermore, owners of hacked accounts should be informed that if financial data was saved in their account and not secured, they may need to verify payment card balances. In addition to selling access to compromised accounts, DarkOwl reported last year that some hackers profited from selling or openly sharing step-by-step guidelines on how to execute return policy fraud. 

Although refund policy fraud may not pose a direct threat to end customers, food delivery firms should be cautious of these sorts of scams as well, even if the FBI has not issued a warning.