Beware of Hackers Who Are Trying to Hijack Food Deliveries During the Coronavirus Quarantine

Hackers Hijacking Food Delivery Accounts During the Coronavirus Quarantine

There should be little doubt in anyone's mind that stopping the current coronavirus outbreak as quickly as possible is extremely important. Because of it, governments all over the world have set up a wide range of restrictions that have transformed our everyday lives. People are told time and again that they need to stay at home and should only go out if they really need to. This presents a series of problems, chief among which is the matter of getting food. In the past, the issue would have been really serious, but thanks to the internet, solutions are now easy to come by. Online delivery services work in pretty much all affected areas, and ordering food from the internet is not a problem. Because they operate online, however, they are bound to end up in the hackers' sights, and there is evidence to suggest that this has already happened.

Cybercriminals launch account takeover attacks on food delivery platforms

Security experts from SpyCloud recently stumbled upon a thread on an online hacking forum thread in which a hacker had shared a new scheme for ordering food online without bothering to pay for it. The post shows that perfect grammar isn't among the requirements for cybercriminals, and it appears that a high level of technical skills isn't on the list, either.

To ensure that people don't feel tempted to try out the method themselves, SpyCloud redacted the screenshot before publishing it, which means that we don't know which food delivery service is targeted. The instructions do show, however, that it's an international platform that has branches in multiple countries.

The author instructs hungry cybercriminals where they need to go in order to begin the attack and then tells them which tools to use. Apparently, the attack is made with the help of a program called OpenBullet. OpenBullet is an open-source penetration testing tool that is normally used for scraping and parsing data. On its GitHub page, the developer has pointed out that, although it's illegal and he doesn't endorse it, the program can also be used to automate credential stuffing attacks, and sure enough, this is exactly what the hacker is using in the current scheme.

The crook has some pretty detailed instructions on what his fellow hackers need to do after they successfully compromise "a few accounts." They need to check if the account is active, re-enable the subscription if it's disabled, change the shipping address to redirect the food their way, and disable all notifications. Once that's done, they can apparently order meals to their hearts' content. Or at least until the account owner realizes that something's not right. The theory is sound, but does it actually work in reality?

How likely are you to fall victim to such an attack?

The post's author said that the method is proven and that they've already ordered quite a lot of food using it. Let's not forget, however, that these claims are made by a hacker, so taking them at face value probably isn't such a good idea. Certainly, in order to get the order delivered to their door, a cybercriminal would need to enter their own address, which incriminates them immediately. SpyCloud found another hacker who claimed to be selling meal-kit delivery codes, which might just help hackers cover their traces a bit better. Once again, however, it's difficult to say whether the advertisement is genuine or not.

In an email interview with, Dustin Warren from SpyCloud admitted that he has not seen this type of attack in the wild. As things stand, it doesn't seem like the biggest online threat you need to watch out for, but at the same time, you shouldn't ignore it as a possibility.

More importantly, you shouldn't forget that if you use unique passwords, hackers won't be able to use credential stuffing against you, and your food delivery account will be better protected.

March 20, 2020

Leave a Reply