Thousands of people across Australia have woken up to the news that they might be victims of ongoing online scams.
Cyber security company, Kasada, has been investigating cyber attacks and found a number of well-known retailers might have been compromised, according to the Sydney Morning Herald.
In their analysis, Kasada alleges some customers of Guzman y Gomez, Dan Murphy’s, Binge, TVSN and Event Cinemas have had their online accounts compromised.
This comes just a week after the news that online retailer, The Iconic had been breached, causing some customers to lose thousands of dollars and have their user details breached.
In these attacks, cyber criminals are using a scam called “credential stuffing” to gain access to an individual’s online account and make fraudulent transactions.
As a small business, if you trade online using an eCommerce store or you purchase online — here’s what you need to know.
What is credential stuffing?
Credential stuffing is a type of cyber attack that targets people who have previously had their usernames, emails or passwords stolen in a data breach. They are then more vulnerable to a second, more dangerous attack where cyber criminals reuse the email and password combinations to get access to more of your accounts, and more of your personal data.
It might help to think of credential stuffing like a cyber criminal game of bingo. Hackers will take your previously stolen passwords and try to crack your other accounts using the same details. This is why people who reuse the same passwords when shopping online are more at-risk of an attack.
What are credential stuffing shopping scams?
When cyber criminals successfully use credential stuffing to guess your password on a online shopping account then they have the ability to place orders, and charge them back to your previously used credit card!
How do I know if my details have been hacked?
Kasada, who has been analysing the attacks, says that 15,000 Australian accounts have been hacked in the past three months, as at January 2023, with that number growing daily.
People who use the same passwords across many accounts are most vulnerable to a credential stuffing cyber attack, especially if they have previously had their usernames stolen in an unrelated data breach.
If you are unsure if you have previously had your data leaked online you can check by visiting the website ‘Have I been pwnd’ which checks your email against known data leaks. If the email you usually shop with is in on this list it means you can be targeted with a credential stuffing attack.
Because credential stuffing cyber attacks impersonate legitimate shoppers using real passwords and real usernames, it makes it very difficult for online businesses to identify the scam.
While many companies are still learning or investigating the attacks, we encourage you to review your bank statements and look out for any suspicious transactions.
If you think you have been hacked, you can make a report to the ACSC.