Hijacked accounts are one of the most common items available for purchase on the online illicit markets. On our blog, we’ve discussed in the past the issue of bank credentials being put up for sale. We now want to highlight how fraudsters also target other industries – namely the food delivery industry.
Who the players are in Canada
The food delivery market is a fast growing industry with sales expected to grow to USD$3 billion in 2023. A lot of money is at stake in this industry. Most large food delivery companies such as Foodora, Just Eat, Skip The Dishes, Uber Eats and Door Dash are active in Canada. Skip The Dishes and Uber Eats are respectively the two most popular companies according to a survey of Canadians.
Exploiting food delivery applications
Financial fraudsters appear to target food delivery applications in one of four different ways.
In the first method, fraudsters use phishing or credential stuffing (reusing passwords stolen on other websites) to gain access to accounts. They can then sell the credentials to actors who will order food using the account’s credit card on file. In the advertisement below, a fraudster is offering an account at a steep discount compared to the funds available in it.
In the second method, fraudsters open new accounts and associate them with stolen credit cards. These new accounts are then sold to actors just as above. The discussion below between fraudsters suggests that at least one company is a soft target because of how easily it can be taken advantage of.
In the third method, fraudsters sell methods to order free food on these food delivery applications. In a leaked Pastebin post, one of these fraudsters reveal an easy technique to earn free food by using coupon codes together.
In the fourth method, fraudsters offer to order the food for their customers. All a buyer needs to do is to supply an order and an address.
How to stay safe as a user
The examples above present advertisements for two companies, Skip The Dishes and Foodora. Many other advertisements target other applications suggesting that all food delivery applications are vulnerable to fraudsters.
To protect themselves, users should make sure that they use long and complex passwords and use unique passwords for each website and application. Fraudsters who use leaked credentials are unlikely to crack long and complex passwords, reducing the exposure of victims of leaked information.
Users should also enable 2 factor authentication whenever possible. This will force applications to contact them to confirm orders, a small burden that could save them from authorizing a fraudulent transactions.
Finally, users should notify the applications of all the fraudulent charges on their account and stop using the applications. Applications that lose customers due to fraud will implement more rigourous checks of activity. Who orders for example $500 worth of McDonald’s in a city where a customer is not located and has never visited?
With the growing size of the food delivery market, we should expect fraudsters to divert their attention on the industry, increasing the losses due to fraud. Flare Systems offers protection against credential stuffing using leaked credentials. This is a simple solution that applications can easily integrate in their systems. With billions of records leaked every year, this is quickly becoming an essential first step in protection against fraud.
Request a demo to see it in action.