For only $6, you can now purchase a hacked Deliveroo account from the dark web, which you can use to order food from different establishments around your area while charging the unwilling victim — the owner of the account.
Hackers have been attacking active Deliveroo accounts and selling them in the black market for a meager $6 each. Deliveroo is a food delivery app, which recently received a multimillion investment from Amazon.
The attackers are allegedly using various phishing and password collecting techniques to gather as many accounts as they can. One of these techniques involves an elaborate phishing exercise, where the hackers trick Deliveroo users into logging in a fake website designed to mimic the real Deliveroo site. Once an unsuspecting user key in his credentials to the fake login site, the attackers receives a copy of both the username and the password of the user.
It also doesn’t help that some smartphones have vulnerabilities that hackers can exploit, where the two-factor authentication details can also be exposed. Threat actors do another form of hacking by going through a list of mega hacks, trying every credential they find, and hope that one will work.
Of course, some of those credentials will work, as it is already established that most people don’t have good cybersecurity and data protection hygiene.
Hackers order cake and ice cream
Reports from several users confirmed that there are hackers trying to take over their accounts. Victims have seen bizarre food and beverage orders illicitly made under their accounts. Some orders have totaled a whopping $560 in a single purchase.
One documented case was that of a London PR manager who seen her account (or somebody taking over it) ordering £150 worth of cakes and ice cream from an outlet of bakery chain Greggs. It appears that in this case, the hackers obtained her login credentials from a previous leak that included her data. The hacker then reused her username and passwords with some nuanced variation of them to get in other services including Deliveroo and other sites such as her Snapchat and Netflix.
And this PR manager isn’t alone. By checking in Twitter, many people have complained about their Deliveroo accounts being hacked, and it happens every few days.
Hacked accounts and many more for sale
Emily Wilson from Terbium Labs did a search of the dark web to see if people are selling Deliveroo accounts. Her scan was able to spot a dealer that offers hacked Deliveroo account for only $5.99 each. Wilson discovered this clandestine, and rather illegal, transaction from a dark web market called Empire, where she also found a phishing page for sale.
Wilson said that the vendor is even offering different techniques to help the would-be phisher on what type of scan to run. Some of these techniques involved offering a $25 gift card for a survey, which the vendor said is very effective in asking for credit card and banking details of the victim.
Furthermore, the vendor also advertises that Deliveroo-based scams are more likely to yield good results in stealing people’s PayPal or bank accounts.
Another analyst, this time from Digital Shadow, discovered a similar offer. A dark web vendor tried to sell a guide to provide users with refunds for their “hacked accounts fraudulently.” This guide only costs $12.50.
The same vendor found by Digital Shadow offers a Deliveroo “account checker” that could verify several stolen login credentials from previous hacks and data breach. These checkers would be able to know if a pair of login credentials are still active and can even be used by the person who bought the account checker.
Bad support from Deliveroo
On top of accounts being hacked, users are growing increasingly dissatisfied with how Deliveroo responds to their reports. Some users even say that they did not receive any response at all; and when an answer was given, the company barely offers any form of support. Worse, to deal with a hacked account, Deliveroo deletes them altogether — instead of fixing the problem — forcing users to set up a new account.
A company spokesperson said that the Deliveroo is now using a fraud prevention software to address the issues.
“Deliveroo takes online security extremely seriously and has robust measures both to protect our systems and members of the public who have had their passwords compromised outside of Deliveroo,” the spokesperson said.
“Sadly, cybercriminals rely on the fact that people reuse the same passwords on multiple online services and use data breaches on other sites to try to gain access to Deliveroo accounts. There has been no breach of Deliveroo’s internal systems.”