Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Malicious Bots Infiltrate Online Food Delivery

With grocery delivery in higher demand than ever, new add-ons have emerged to secure slots for consumers, presenting a new pathway for bad bots to wreak havoc.

In the strange new era of COVID-19, securing a grocery delivery slot can sometimes feel like hitting the lottery. You almost have to blink to believe it's real when you get a slot.

As demand for online grocery shopping has risen, so has the availability of new browser extensions to help shoppers game the delivery system. In recent weeks, developers have released add-ons that perform functions like scanning for and alerting users to delivery slots, completing the checkout -- and inadvertently presenting a pathway for malicious bots to harvest user information.

That last one may not be the intention of well-meaning developers looking to help shoppers get the food they need in a timely fashion, but according to Ido Safruti, co-founder and CTO of PerimeterX, these extensions present a series of new risks.

"Shoppers looking to secure highly coveted delivery time slots now have the option of installing browser extensions or using scripts to automate the process," Safruti says. "These often perform tasks beyond what you installed them for. They could be infected or malicious, harvesting personally identifiable information for future use, or logging keystrokes to get passwords and account numbers that you don’t want to share."

Indeed, he says, the increase in bot activity has been noticeable.

"From mid-January to mid-March, food and grocery delivery experienced a 41% increase in traffic – both good and bad," he says. "Bad traffic includes malicious bots that execute attacks including account takeover and Web scraping. We've seen an increase in the volume of attacks, and in the sophistication of bot attacks across sites."

This is a huge challenge for app owners, who lack visibility into third-party activity on the client side, and who in many cases are scaling up startup businesses that were not anticipating serving as lifelines in a global pandemic.

In an email to Dark Reading, an Instacart spokesperson cautioned that independent services and extensions that offer to notify customers about or secure delivery windows on their behalf are in no way affiliated with or authorized by the company. Shoppers should not engage with these services, according to Instacart, especially those that request an Instacart username or password, or credit card information. The company also referenced its own "robust security," but did not specify what measures are being taken to proactively guard against new attacks.

An Amazon spokesperson did not respond directly to the issue of bot-secured delivery slots, but said that in response to demand for its service Amazon Fresh, the company has "rapidly expanded grocery pickup, increased hiring, transitioned select stores to exclusively fulfill delivery orders and more."

Amazon will release "in the coming weeks ... a queueing feature giving customers a virtual place in line to secure time to shop and schedule delivery, allowing for a more equitable distribution of delivery windows," the spokesperson said.

Of course, delivery-scouting extensions are not the only challenge for these services. Instacart recently patched a flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number. A security researcher discovered the vulnerability while using the using the service to buy dog food.

App Cleanup

As these grocery delivery apps work to scale up to handle unforeseen demand, experts say there are steps they should take now to improve security and ensure customers don't experience service disruptions.

Jack Mannino, CEO at app security provider nVisium, suggests that "business logic within checkout and delivery flows should be tested thoroughly as well as ensuring users cannot give themselves a preferential bump in waiting lists or deny other users the ability to put in orders."

Professor William Kresse of Governors State University, an expert in fraud detection who goes by the moniker Professor Fraud, says the app firms should comb their code "line by line, and go through it with a fraudster mindset," to see what might be exploited.

Charles Ragland, security engineer at Digital Shadows, recommends adherence to frameworks like PCI-DSS for services that process financial transactions. And James McQuiggan, security awareness advocate at KnowBe4 urges multi-factor authentication. "Relying on a username and password for protecting the personal information and identity of its customers, which includes names, addresses, and credit card information, has been known to fail for other organizations in the past," he says.

Overall, it's about these app developers being proactive. Expect to see more attacks on delivery services as people continue to rely on having groceries, meals, medicine, and other essentials delivered to their doorsteps. There's  now more money being spent on food and household items than on live entertainment and other previously lucrative fields for hackers. Data from Apptopia showed that from mid-February to mid-March alone, Instacart, Walmart Grocery, and Shipt saw app download surges of 218%, 160%, and 124% respectively.

"Cyberattackers follow the money. As more consumers shop online and use delivery apps, there are more ways for attackers to make money," says PerimeterX's Safruti. "They can take over accounts, create fraudulent accounts, use loyalty points and gift card balances, scrape competitor pricing, hoard coveted products or delivery slots, inject malware into browser extensions, or skim personally identifiable information on payment pages.

"The automated nature of these attacks and their high sophistication levels make delivery apps extremely vulnerable," he says.

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register
Related Content:
Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...