Last updated at Thu, 19 Jan 2023 15:10:39 GMT

Tap. Eat. Repeat. Regret?

Using food or grocery delivery apps is great. It really is. Sure, there’s a fee, but when you can’t bring yourself to leave the house, it’s a nice treat to get what you want delivered. As a result, adoption of food apps has been incredibly fast and they are now a ubiquitous part of everyday culture. However, the tradeoff for that convenience is risk. In the past few years, cybercriminals have turned their gaze upon food and grocery delivery apps.

According to McKinsey, food delivery has a global market worth of over $150 billion, more than tripling since 2017. That equates to a lot of people entering usernames, passwords, and credit card numbers into these apps. That’s a lot of growth at an extremely rapid pace, and presents the age-old challenge of security trying to keep pace with that growth. Oftentimes it’s not a successful venture; specifically, credential stuffing (no relation to Thanksgiving stuffing or simply stuffing one’s face) is one of the major attacks of choice for bad actors attempting to break into user accounts or deploy other nefarious attacks inside of these apps.

Sounding the alarm

The FBI, among its many other cybercrime worries, recently raised the alert on credential stuffing attacks on customer app accounts across many industries. The usual-suspect industries—like healthcare and media—are there, but now the report includes “restaurant groups and food-delivery,” as well. This is notable due to that sector’s rapid adoption of apps, their growth in popularity among global consumers, and the previously mentioned challenges of security keeping pace with development instead of slowing it down.

The FBI report notes that, “In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts.” Combine that with things like tutorial videos on hacker forums that make credential stuffing attacks relatively easy to learn, and it’s a (to continue with the food-centric puns) recipe for disaster.

Some background on credential stuffing

This OWASP cheat sheet describes credential stuffing as a situation when attackers test username/password pairs to gain access to one website or application after obtaining those credentials from the breach of another site or app. The pairs are often part of large lists of credentials sold on attacker forums and/or the dark web. Credential stuffing is typically part of a larger account takeover (ATO), targeting individual user accounts, of which there are so, so many on today’s popular delivery apps.  

To get a bit deeper into it, the FBI report goes on to detail how bad actors often opt for the proxy-less route when conducting credential stuffing attacks. This method actually requires less time and money to successfully execute, all without the use of proxies. And even when leveraging a proxy, many existing security protocols don’t regularly flag them. Add to that the recent rise in the use of bots when scaling credential stuffing attacks and the recipe for disaster becomes a dessert as well (the puns continue).  

All of these aspects contributing to the current state of vulnerability and security on grocery and food-delivery apps are worrying enough, but also creating concern is the fact that mobile apps (the primary method of interaction for food delivery services) typically permit a higher rate of login attempts for faster customer verification. In fairness, that can contribute to a better customer experience, but clearly leaves these types of services more vulnerable to attacks.

Cloud services like AWS and Google Cloud can help their clients fend off credential stuffing attacks with defenses like multifactor authentication (MFA) or a defense-in-depth approach that combines several layers of protection to prevent credential stuffing attacks. Enterprise customers can also take cloud security into their own hands—on behalf of their own customers actually using these apps—when it comes to operations in the cloud. Solutions like InsightCloudSec by Rapid7 help to further govern identity and access management (IAM) by implementing least-privilege access (LPA) for cloud workloads, services, and data.

Solutions to breed customer confidence

In addition to safeguards like MFA and LPA, the FBI report details a number of policies that food or grocery-delivery apps can leverage to make it harder for credential thieves to gain access to the app’s user-account base, such as:

  • Downloading publicly available credential lists and testing them against customer accounts to identify problems and gauge their severity.  
  • Leveraging fingerprinting to detect unusual activity, like attempts by a single address to log into several different accounts.
  • Identifying and monitoring for default user-agent strings leveraged by credential-stuffing attack tools.

Detection and response (D&R) solutions like InsightIDR from Rapid7 can also leverage the use of deception technology to lure attackers attempting to use stolen credentials. By deploying fake honey credentials onto your endpoints to deceive attackers, InsightIDR can automatically raise an alert if those credentials are used anywhere else on the network.

At the end of the day, a good meal is essential. It’s also essential to protect your organization against credential stuffing attacks. Our report, Good Passwords for Bad Bots, offers practical, actionable advice on how to reduce the risk of credential-related attacks to your organization.

Download Good Passwords for Bad Bots today.