Share this article on:
The details of thousands of Australians have been compromised in a campaign targeting a number of major Australian retailers, resulting in fraudulent purchases.
Over 15,000 customers of Australian retailers and service providers, including alcohol vendor Dan Murphy’s, Mexican restaurant chain Guzman y Gomez, Event Cinemas, streaming service Binge, and home shopping network TVSN, were affected.
Customer accounts of these companies were compromised through a credential stuffing campaign, an attack that works through trial and error, with a threat actor automatically entering known usernames and passwords into website login forms in the hope that users have reused details across multiple services.
According to media reports, the threat actors behind what is believed to be a targeted attack purchased stolen login details from overseas sources.
Many of the successfully accessed accounts contained saved credit card information or had gift cards on them, resulting in fraudulent transactions.
According to reports from The Sydney Morning Herald, some of the threat actors shared receipts and tales of their illegal activity, with one cyber criminal claiming to have spent over $800 on high-end alcohol at Dan Murphy’s through the hack.
Others said they purchased iPhones and clothing.
The affected retailers have responded to the news of the credential stuffing campaign, with Dan Murphy’s confirming that the threat actors had affected the accounts of a small number of customers.
“These were obtained through unrelated third-party breaches and not due to our internal systems being compromised,” a spokesman said, according to The Daily Mail.
“Our team took immediate action and has been working with affected customers.”
Guzman y Gomez also responded that the company does not save customer credit card information and that it “uses advanced monitoring for such attacks and proactively takes action to defend against cyber criminals to protect our guests, including notifying users of suspicious activity”.
Binge has been contacted by Cyber Daily for comment on how the incident has affected its customers.
Update 17/01/2022: Binge has responded to Cyber Daily with a statement saying that its customer's credit card information is not at risk of compromise from the credential stuffing campaign.
"BINGE customers remain unaffected by credit card scams including the one reported by Kasada and no credit card details have been compromised," said a company spokesperson speaking with Cyber Daily.
"Credit card details are managed off-platform as part of the comprehensive cyber security systems we have in place. Our customer accounts are monitored 24/7 for cyber activity that may compromise accounts and we have advanced systems in place to block, re-set customer accounts, and notify affected customers, ensuring minimal risk.”
The recent credential stuffing campaign closely follows a similar incident affecting customers of online fashion retailer The Iconic.
“We have recently seen an increase in fraudulent account login attempts on The Iconic, which our security and fraud teams continue to actively manage, in conjunction with our security partners,” said the retailer in a widely reported statement on 9 January.
Some customers said they had lost as much as $1,000 or more as a result of the credential stuffing attacks.
Despite it not being the retailer’s fault, The Iconic said it would offer refunds to customers affected by the breach.
“We are working with all customers to address these incidents, which are not a result of a data breach at The Iconic,” the statement read.
“The security of our customer data is of the utmost importance to us, and we continue to work with our third-party security partners to protect against all fraudulent activity.”
The retailer also recommended that customers change their passwords and is prompting its users to do so via email.
“We encourage all Iconic customers to be vigilant when it comes to proactively managing their account security by regularly changing their passwords,” the company’s statement said.
Comments powered by CComment