In the strange new era of COVID-19, securing a grocery delivery slot can sometimes feel like hitting the lottery. You almost have to blink to believe it's real when you get a slot.
As demand for online grocery shopping has risen, so has the availability of new browser extensions to help shoppers game the delivery system. In recent weeks, developers have released add-ons that perform functions like scanning for and alerting users to delivery slots, completing the checkout -- and inadvertently presenting a pathway for malicious bots to harvest user information.
That last one may not be the intention of well-meaning developers looking to help shoppers get the food they need in a timely fashion, but according to Ido Safruti, co-founder and CTO of PerimeterX, these extensions present a series of new risks.
"Shoppers looking to secure highly coveted delivery time slots now have the option of installing browser extensions or using scripts to automate the process," Safruti says. "These often perform tasks beyond what you installed them for. They could be infected or malicious, harvesting personally identifiable information for future use, or logging keystrokes to get passwords and account numbers that you don’t want to share."
Indeed, he says, the increase in bot activity has been noticeable.
"From mid-January to mid-March, food and grocery delivery experienced a 41% increase in traffic – both good and bad," he says. "Bad traffic includes malicious bots that execute attacks including account takeover and Web scraping. We've seen an increase in the volume of attacks, and in the sophistication of bot attacks across sites."
This is a huge challenge for app owners, who lack visibility into third-party activity on the client side, and who in many cases are scaling up startup businesses that were not anticipating serving as lifelines in a global pandemic.
In an email to Dark Reading, an Instacart spokesperson cautioned that independent services and extensions that offer to notify customers about or secure delivery windows on their behalf are in no way affiliated with or authorized by the company. Shoppers should not engage with these services, according to Instacart, especially those that request an Instacart username or password, or credit card information. The company also referenced its own "robust security," but did not specify what measures are being taken to proactively guard against new attacks.
An Amazon spokesperson did not respond directly to the issue of bot-secured delivery slots, but said that in response to demand for its service Amazon Fresh, the company has "rapidly expanded grocery pickup, increased hiring, transitioned select stores to exclusively fulfill delivery orders and more."
Amazon will release "in the coming weeks ... a queueing feature giving customers a virtual place in line to secure time to shop and schedule delivery, allowing for a more equitable distribution of delivery windows," the spokesperson said.
Of course, delivery-scouting extensions are not the only challenge for these services. Instacart recently patched a flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number. A security researcher discovered the vulnerability while using the using the service to buy dog food.
As these grocery delivery apps work to scale up to handle unforeseen demand, experts say there are steps they should take now to improve security and ensure customers don't experience service disruptions.
Jack Mannino, CEO at app security provider nVisium, suggests that "business logic within checkout and delivery flows should be tested thoroughly as well as ensuring users cannot give themselves a preferential bump in waiting lists or deny other users the ability to put in orders."
Professor William Kresse of Governors State University, an expert in fraud detection who goes by the moniker Professor Fraud, says the app firms should comb their code "line by line, and go through it with a fraudster mindset," to see what might be exploited.
Charles Ragland, security engineer at Digital Shadows, recommends adherence to frameworks like PCI-DSS for services that process financial transactions. And James McQuiggan, security awareness advocate at KnowBe4 urges multi-factor authentication. "Relying on a username and password for protecting the personal information and identity of its customers, which includes names, addresses, and credit card information, has been known to fail for other organizations in the past," he says.
Overall, it's about these app developers being proactive. Expect to see more attacks on delivery services as people continue to rely on having groceries, meals, medicine, and other essentials delivered to their doorsteps. There's now more money being spent on food and household items than on live entertainment and other previously lucrative fields for hackers. Data from Apptopia showed that from mid-February to mid-March alone, Instacart, Walmart Grocery, and Shipt saw app download surges of 218%, 160%, and 124% respectively.
"Cyberattackers follow the money. As more consumers shop online and use delivery apps, there are more ways for attackers to make money," says PerimeterX's Safruti. "They can take over accounts, create fraudulent accounts, use loyalty points and gift card balances, scrape competitor pricing, hoard coveted products or delivery slots, inject malware into browser extensions, or skim personally identifiable information on payment pages.
"The automated nature of these attacks and their high sophistication levels make delivery apps extremely vulnerable," he says.