NewsBite

Advertisement

This was published 11 months ago

Thousands of Australians hacked in ‘credential stuffing’ credit card scam

By Matthew Knott

Thousands of customers of the country’s biggest fashion, fast food and entertainment companies have been victims of a brazen hacking scheme in which scammers access their online accounts and make fraudulent transactions.

Local scammers, who purchased pilfered online login details from overseas cybercriminals, have bragged in online chat groups about buying iPhones, clothing and almost $800 worth of top-shelf alcohol with strangers’ money.

Boxes of clothing that scammers claimed on Telegram they had bought on other people’s accounts.

Boxes of clothing that scammers claimed on Telegram they had bought on other people’s accounts.

Online retailer The Iconic last week pledged to issue full refunds to customers who were fleeced by the “credential stuffing” scheme, but analysis by leading cybersecurity company Kasada has found the problem extends far further than previously disclosed.

Customers who have online accounts with Mexican fast food outlet Guzman y Gomez, alcohol retailer Dan Murphy’s, streaming service Binge, home shopping network TVSN and Event Cinemas are among those whose accounts were compromised by the systematic scam, according to Kasada.

“This is a concerted, targeted effort to hit Australian business who haven’t had to deal with this before,” Kasada founder Sam Crowther said. “In the past few weeks the level of activity has gone mental, and it is still going on. While we remain a soft target the problem will get worse.”

Crowther, whose firm specialises in preventing online bot attacks, said his company’s tracking software showed 15,000 Australian online accounts had been accessed since late November, with that number rising each day.

Kasada chief executive Sam Crowther said targeted “credential stuffing” posed a new threat to Australian companies.

Kasada chief executive Sam Crowther said targeted “credential stuffing” posed a new threat to Australian companies.Credit: Michael Quelch

Many affected customers and companies are probably not aware of the extent of the fraudulent activity, he said. Crowther’s company also infiltrated Telegram chat groups where scammers shared details of their fraudulent purchases on the messaging app.

In one chat group, a scammer posted a receipt of a fraudulent purchase of $782 worth of alcohol from Dan Murphy’s, including a $290 bottle of Hibiki Harmony whisky and a $120 bottle of Don Julio Blanco tequila.

Advertisement

The scheme targets customers who save their credit card details on company websites or who have online gift cards or store credit that can be spent on online purchases.

Receipts for purchases posted in a Telegram message group where scammers boast about hacking accounts.

Receipts for purchases posted in a Telegram message group where scammers boast about hacking accounts.

Customers who use the same login details for multiple online accounts are especially vulnerable to abuse.

The Australian Cyber Security Centre defines credential stuffing as a type of hack in which cyber criminals “use previously stolen passwords from one website and try to reuse them elsewhere”.

This makes it different to the large-scale data breaches that have affected companies such as Optus and Medibank Private.

“The modus operandi of these guys is to purchase the biggest amount you can as quickly as possible before it can be noticed or stopped,” said Crowther, whose firm counts Hyatt, Sportsbet and Flybuys among its clients.

Some customers of The Iconic complained that purchases of more than $1000 had been taken from their accounts.

Crowther said Australian fraudsters have been buying hacked login details on the black market from cybercriminals in Eastern Europe, usually for around just 5 per cent of the total account value.

Cybersecurity Minister Clare O’Neil said: “Cybersecurity is a shared responsibility of us all. It is vital that Australians and Australian businesses are alert to the threat of credential stuffing.

“Consumers who are concerned about being caught in these attacks should take the usual precautions of using strong and unique passphrases for different accounts and enabling multifactor authentication where possible.”

Minister for Cyber Security Clare O’Neil in her office at Parliament House.

Minister for Cyber Security Clare O’Neil in her office at Parliament House.Credit: Alex Ellinghausen

Endeavour Group, which owns Dan Murphy’s, confirmed its customers had been the victims of credential stuffing fraud in recent weeks.

“A small number of user accounts were subject to fraudulent transactions as a result of email and passwords; these were obtained through unrelated third-party breaches and not due to our internal systems being compromised,” a spokesman said.

“Our team took immediate action and has been working with affected customers.”

Noting that the company’s investigations were ongoing, the spokesman said: “All customers are encouraged to practise good password hygiene, using a strong password and changing it periodically.”

Loading

Some of the scammers used stored PayPal accounts linked to an email and password to make the fraudulent purchases.

A TVSN spokeswoman confirmed that “a small number” of customers had been affected, and the network had contacted those who had to issue refunds for unauthorised transactions.

“In communications on this issue, TVSN has reminded its customers of the importance of ensuring that they have a strong, unique password for each different website or account that they hold,” the spokeswoman said. No TVSN customer credit card information had been accessed, she said.

A spokeswoman for Guzman y Gomez said the company does not save customer credit card details and “uses advanced monitoring for such attacks and proactively takes action to defend against cyber criminals to protect our guests, including notifying users of suspicious activity”.

A BINGE spokeswoman said: “BINGE customers remain unaffected by credit card scams including the one reported by Kasada and no credit card details have been compromised. Credit card details are managed off-platform as part of the comprehensive cyber security systems we have in place.”

A spokeswoman for Event Cinemas said the company had “not experienced recent transactions or activity inconsistent with past trends” but would follow up the issue with Kasada.

Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.

Most Viewed in Politics

Loading

Original URL: https://www.smh.com.au/politics/federal/thousands-of-australians-hacked-in-credential-stuffing-credit-card-scam-20240116-p5exls.html