Hijacked accounts are one of the most common items available for purchase on online illicit markets. On our blog, we’ve discussed in the past the issue of bank credentials being put up for sale. We now want to highlight how fraudsters also target other industries – namely the food delivery industry. This has been a growing concern with the confinement orders and the need to find alternatives to restaurants shutting down and long lines at grocery stores. We provide solutions on how to stay safe and to help improve the security of food delivery applications by using 2 factor authentication as well as reporting any fraudulent charges.
Who the players are in Canada
The food delivery market is a fast-growing industry with sales expected to grow to USD$3 billion in 2023. And this was before the coronovirus. A lot of money is at stake in this industry. Most large food delivery companies such as Just Eat, Skip The Dishes, Uber Eats and Door Dash are active in Canada. Skip The Dishes and Uber Eats are respectively the two most popular companies according to a survey of Canadians.
Exploiting food delivery applications
Financial fraudsters appear to target food delivery applications in one of four different ways.
In the first method, fraudsters use phishing or credential stuffing (reusing passwords stolen on other websites) to gain access to accounts. They can then sell the credentials to actors who will order food using the account’s credit card on file. In the advertisement below, a fraudster is offering an account at a steep discount compared to the funds available in it.
In the second method, fraudsters open new accounts and associate them with stolen credit cards. These new accounts are then sold to actors just as above. The discussion below between fraudsters suggests that at least one company is a soft target because of how easily it can be taken advantage of.
In the third method, fraudsters sell methods to order free food on food delivery applications. In a leaked Pastebin post, one of these fraudsters reveals an easy technique to earn free food by using coupon codes together.
In the fourth method, fraudsters offer to order the food for their customers. All a buyer needs to do is to supply an order and an address.
How to stay safe as a user
The examples above present advertisements certain specific companies. Many advertisements target other applications suggesting that all food delivery applications are vulnerable to fraudsters.
To protect themselves, users should make sure that they use long and complex passwords. They should also use unique passwords for each website and application. Fraudsters who use leaked credentials are unlikely to crack long and complex passwords, reducing the exposure of victims of leaked information.
Users should also enable 2 factor authentication whenever possible. This will force applications to contact them to confirm orders, a small burden that could save them from authorizing a fraudulent transaction.
Finally, users should notify the applications of all the fraudulent charges on their account and stop using the applications. Applications that lose customers due to fraud will implement more rigorous checks of activity.
With the growing size of the food delivery market and the current pandemic, we expect fraudsters to focus more and more to this industry, increasing the losses due to fraud. Flare Systems offers protection against credential stuffing using leaked credentials. This is a simple solution that applications can easily integrate in their systems. With billions of records leaked every year, this is quickly becoming an essential first step in protection against fraud. Request a demo to see it in action.