Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Malicious Bots Infiltrate Online Food Delivery

With grocery delivery in higher demand than ever, new add-ons have emerged to secure slots for consumers, presenting a new pathway for bad bots to wreak havoc.

In the strange new era of COVID-19, securing a grocery delivery slot can sometimes feel like hitting the lottery. You almost have to blink to believe it's real when you get a slot.

As demand for online grocery shopping has risen, so has the availability of new browser extensions to help shoppers game the delivery system. In recent weeks, developers have released add-ons that perform functions like scanning for and alerting users to delivery slots, completing the checkout -- and inadvertently presenting a pathway for malicious bots to harvest user information.

That last one may not be the intention of well-meaning developers looking to help shoppers get the food they need in a timely fashion, but according to Ido Safruti, co-founder and CTO of PerimeterX, these extensions present a series of new risks.

"Shoppers looking to secure highly coveted delivery time slots now have the option of installing browser extensions or using scripts to automate the process," Safruti says. "These often perform tasks beyond what you installed them for. They could be infected or malicious, harvesting personally identifiable information for future use, or logging keystrokes to get passwords and account numbers that you don’t want to share."

Indeed, he says, the increase in bot activity has been noticeable.

"From mid-January to mid-March, food and grocery delivery experienced a 41% increase in traffic – both good and bad," he says. "Bad traffic includes malicious bots that execute attacks including account takeover and Web scraping. We've seen an increase in the volume of attacks, and in the sophistication of bot attacks across sites."

This is a huge challenge for app owners, who lack visibility into third-party activity on the client side, and who in many cases are scaling up startup businesses that were not anticipating serving as lifelines in a global pandemic.

In an email to Dark Reading, an Instacart spokesperson cautioned that independent services and extensions that offer to notify customers about or secure delivery windows on their behalf are in no way affiliated with or authorized by the company. Shoppers should not engage with these services, according to Instacart, especially those that request an Instacart username or password, or credit card information. The company also referenced its own "robust security," but did not specify what measures are being taken to proactively guard against new attacks.

An Amazon spokesperson did not respond directly to the issue of bot-secured delivery slots, but said that in response to demand for its service Amazon Fresh, the company has "rapidly expanded grocery pickup, increased hiring, transitioned select stores to exclusively fulfill delivery orders and more."

Amazon will release "in the coming weeks ... a queueing feature giving customers a virtual place in line to secure time to shop and schedule delivery, allowing for a more equitable distribution of delivery windows," the spokesperson said.

Of course, delivery-scouting extensions are not the only challenge for these services. Instacart recently patched a flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number. A security researcher discovered the vulnerability while using the using the service to buy dog food.

App Cleanup

As these grocery delivery apps work to scale up to handle unforeseen demand, experts say there are steps they should take now to improve security and ensure customers don't experience service disruptions.

Jack Mannino, CEO at app security provider nVisium, suggests that "business logic within checkout and delivery flows should be tested thoroughly as well as ensuring users cannot give themselves a preferential bump in waiting lists or deny other users the ability to put in orders."

Professor William Kresse of Governors State University, an expert in fraud detection who goes by the moniker Professor Fraud, says the app firms should comb their code "line by line, and go through it with a fraudster mindset," to see what might be exploited.

Charles Ragland, security engineer at Digital Shadows, recommends adherence to frameworks like PCI-DSS for services that process financial transactions. And James McQuiggan, security awareness advocate at KnowBe4 urges multi-factor authentication. "Relying on a username and password for protecting the personal information and identity of its customers, which includes names, addresses, and credit card information, has been known to fail for other organizations in the past," he says.

Overall, it's about these app developers being proactive. Expect to see more attacks on delivery services as people continue to rely on having groceries, meals, medicine, and other essentials delivered to their doorsteps. There's  now more money being spent on food and household items than on live entertainment and other previously lucrative fields for hackers. Data from Apptopia showed that from mid-February to mid-March alone, Instacart, Walmart Grocery, and Shipt saw app download surges of 218%, 160%, and 124% respectively.

"Cyberattackers follow the money. As more consumers shop online and use delivery apps, there are more ways for attackers to make money," says PerimeterX's Safruti. "They can take over accounts, create fraudulent accounts, use loyalty points and gift card balances, scrape competitor pricing, hoard coveted products or delivery slots, inject malware into browser extensions, or skim personally identifiable information on payment pages.

"The automated nature of these attacks and their high sophistication levels make delivery apps extremely vulnerable," he says.

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register
Related Content:
Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...