Thousands of retail customers have fallen victim to a hacking scheme where scammers access their online accounts to make fraudulent transactions.
Local scammers, having bought online login details from overseas cybercriminals, bragged in a chat online about purchasing iPhones, clothing and alcohol (almost $800 worth) with strangers’ money.
The Iconic, an online retailer, said last week they will issue full refunds to customers affected by the “credential stuffing” scheme.
Cybersecurity company Kasada has found the issue extends further than anticipated.
Customers with online accounts to Guzman y Gomez, Dan Murphy’s, Binge, TVSN, and Event Cinemas were compromised by the scam.
Kasada founder Sam Crowther said, “This is a concerted, targeted effort to hit Australian business who haven’t had to deal with this before. In the past few weeks the level of activity has gone mental, and it is still going on. While we remain a soft target the problem will get worse.”
He said his company’s tracking software revealed 15,000 Australian online accounts being accessed since late November, and the number is rising each day.
He claimed many affected aren’t aware of the extent. The company also infiltrated Telegram chat groups, where details were being shared by scammers of the purchases made.
One chat group saw a scammer post a receipt of a fraudulent purchase of $782 worth of alcohol from Dan Murphy’s.
This scan scheme targets those who save credit card details on websites, or who have online gift cards or store credit.
Customers using the same login details for various online accounts are especially vulnerable.
According to the Australian Cyber Security Centre, credential stuffing is a type of hack where cybercriminals “use previously stolen passwords from one website and try to reuse them elsewhere.”
This means it’s different to larger scale breaches that have affected Optus and Medibank Private.
Crowther continued, “The modus operandi of these guys is to purchase the biggest amount you can as quickly as possible before it can be noticed or stopped.”
Some The Iconic customers complained of purchases worth over $1,000.
Crowther said Australian cybercriminals have been purchasing hacked login details on the black market from Eastern European cybercriminals, for around 5% of the total account value.
Cybersecurity Minister Clare O’Neil said, “Cybersecurity is a shared responsibility of us all. It is vital that Australians and Australian businesses are alert to the threat of credential stuffing.”
“Consumers who are concerned about being caught in these attacks should take the usual precautions of using strong and unique passphrases for different accounts and enabling multifactor authentication where possible.”
Dan Murphy’s is owned by Endeavour Group, which has confirmed its customers were the victims of credential stuffing in recent weeks.
“A small number of user accounts were subject to fraudulent transactions as a result of email and passwords; these were obtained through unrelated third-party breaches and not due to our internal systems being compromised.”
“Our team took immediate action and has been working with affected customers.”
All customers are encouraged to practice good password hygiene, using a strong password and changing it periodically.”
Some scanners used PayPal accounts linked to an email and password for the purchases.
A TVSN spokeswoman confirmed “a small number” of customers had been affected, and they had contacted them to issue refunds.
“In communications on this issue, TVSN has reminded its customers of the importance of ensuring that they have a strong, unique password for each different website or account that they hold.”
She revealed no TVSN customer credit card information had been accessed.
A Guzman y Gomez spokeswoman also said the company doesn’t save credit card details, and “uses advanced monitoring for such attacks and proactively takes action to defend against cyber criminals to protect our guests, including notifying users of suspicious activity.”
The spokesperson for Event Cinemas said it had “not experienced recent transactions or activity inconsistent with past trends” but would follow up with Kasada.
A Binge spokesperson added, “BINGE customers remain unaffected by credit card scams including the one reported by Kasada and no credit card details have been compromised. Credit card details are managed off-platform as part of the comprehensive cyber security systems we have in place. Our customer accounts are monitored 24/7 for cyber activity that may compromise accounts and we have advanced systems in place to block, re-set customer accounts, and notify affected customers, ensuring minimal risk.”
