Customers for some of Australia’s best-known brands have fallen victim to a rampant credential stuffing scheme, with scammers pillaging accounts to make fraud transactions.
In what is being described as a coordinated cyber attack, Aussies are reportedly suffering widespread account compromises for alcohol retailer Dan Murphy’s, streaming service Binge, fast food outlet Guzman y Gomez, and Event Cinemas.
The scheme makes use of “credential stuffing”, a common attack method which exploits previously stolen login details, such as usernames and passwords, in order to access accounts using the same credentials on other platforms.
Once logged in, scammers can typically use compromised accounts to access confidential information and purchase goods through payment cards or store credits kept on file.
The issue was first detected at online retailer The Iconic, which last week saw many customers report unexpected transactions to the retailer on their credit card statements.
While these reports were prominent enough for The Iconic to promise refunds to affected customers, it wasn’t until this week that the incident was linked to a wider hacking scheme.
Now, findings from cyber security company Kasada suggest some 15,000 Australian online accounts have been impacted since late November, with that number growing each day.
“This is a concerted, targeted effort to hit Australian business who haven’t had to deal with this before,” Kasada founder Sam Crowther told the Sydney Morning Herald.
“In the past few weeks, the level of activity has gone mental, and it is still going on. While we remain a soft target, the problem will get worse.”
As reported by the Sydney Morning Herald, Kasada further infiltrated chat groups on encrypted messaging app Telegram, where scammers have been found boasting details of fraud purchases related to the scheme.
A spokesperson for Endeavour, the parent company of Dan Murphy's, confirmed to Information Age that some user accounts had been compromised.
“A small number of user accounts were subject to fraudulent transactions as a result of email and passwords being obtained through unrelated third-party breaches and not due to our internal systems being compromised,” they said.
“Our team took immediate action and has been working with affected customers.
“Our investigations are ongoing, with a focus on the continued security of our systems and customer personal information within our environment.”
In contradiction to Kasada’s findings, however, a spokesperson for Binge told Information Age it had not been impacted by the scheme.
“Binge customers remain unaffected by credit card scams including the one reported by Kasada and no credit card details have been compromised,” the spokesperson said.
“Credit card details are managed off-platform as part of the comprehensive cybersecurity systems we have in place. Our customer accounts are monitored 24/7 for cyber activity that may compromise accounts and we have advanced systems in place to block, reset customer accounts, and notify affected customers, ensuring minimal risk.”
Guzman y Gomez and Event Cinemas have been contacted for comment.
Prime minister labels scams a “scourge”
During a Wednesday appearance on FiveAA radio in Adelaide, Prime Minister Anthony Albanese labelled Australia’s recent spate of scams a “scourge” before emphasising the importance of cyber awareness.
“This is a scourge, so many vulnerable people being ripped off who've acted in absolutely good faith and we need to make sure that they are protected,” said Albanese.
“Discussions like this are really important in raising awareness as well, so that people know not to just click on a link.
“Banks tend to not send spontaneous links to people, and the tax office – same thing.”
The Prime Minister also added that Financial Services Minister Stephen Jones was having a “comprehensive look” at what further measures can be taken to protect consumers.
While Albanese did not address any specific prevention measures for credential stuffing, Cyber Security Minister Clare O’Neil took to LinkedIn to emphasise the importance of strong passwords.
“This is just one more reason to use using strong and unique passphrases for different accounts and enabling multifactor authentication where possible,” said O’Neil.
Meanwhile, Belinda Jonovska, chief operating officer of open banking payment technology provider Waave, warned the issue lies with businesses opting to keep payment cards on file.
“For merchants trying to recreate a friction-free experience, having a card on file generally means a 'one click' checkout.
“This creates a huge cyber security risk – passwords bought off the dark web by hackers are often shared over many shopping websites,” warned Jonovska.
“Vouchers/credits and accounts on file are at risk of being hijacked.
“The liability of the fraudulent transactions will likely sit with the merchant after these attacks,” she added.