The FBI has a warning for companies in the food and agriculture industries: Hackers are using the tactic known as credential stuffing to hijack your online accounts and drain your cash. The FBI’s Cyber Division recently sent a Private Industry Notification to businesses in these sectors, warning them that hackers have been targeting accounts at grocery stores, restaurants, and food-delivery services.
In the agency’s report, it said that cybercriminals are using stolen passwords at one company to log into another company’s account. They do this hoping that customers had used the same password for both accounts. Cybercriminals usually use automated tools and proxy botnets to attack multiple companies, including grocery and food delivery services.
The FBI warned that companies can be unaware of account compromises until customers complain that their accounts have been compromised. For example, a customer might notice suspicious activities on their accounts such as food orders for pick-ups that they didn’t place.
Companies should improve their security defenses against these types of attacks. The FBI is now urging companies to keep on eye out on these attacks and work on deploying a multi-layered mitigation strategy:
Indicators of a credential stuffing attack:
- Finding that you have unusually high number of failed logins, possibly in the millions, from a diverse range of IP addresses via the online account portal;
- Noticing a higher than usual lockout rate and customer calls regarding account lockouts and unauthorized changes;
- Educate customers and employees about this scheme, advising them to use unique passwords for various accounts and to change passwords regularly.
- Advise customers to actively monitor their accounts for unauthorized access, modification, and anomalous activities; usernames and passwords should be changed upon identification of account compromise or fraud.
- Establish Two-Factor or Multi-Factor Authentication for creating and updating account information.
- Establish company policies to contact the owner of an account to verify any changes to existing account information.
- Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts. To combat automated scripts or bots, consider deployment of a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), which requires users to confirm they are not running automated scripts by performing an action to prove they are human.
- Establish device fingerprinting and IP blacklisting policies.
- Use a PIN code and password together. The PIN code is a second piece of information the cyber actor would need to know, thus increasing the difficulty for unauthorized individuals to access the account.
- Monitor the dark web for lists of leaked user IDs and passwords, and perform tests to evaluate whether current user accounts are susceptible to credential stuffing attacks.