Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Malicious Bots Infiltrate Online Food Delivery

With grocery delivery in higher demand than ever, new add-ons have emerged to secure slots for consumers, presenting a new pathway for bad bots to wreak havoc.

In the strange new era of COVID-19, securing a grocery delivery slot can sometimes feel like hitting the lottery. You almost have to blink to believe it's real when you get a slot.

As demand for online grocery shopping has risen, so has the availability of new browser extensions to help shoppers game the delivery system. In recent weeks, developers have released add-ons that perform functions like scanning for and alerting users to delivery slots, completing the checkout -- and inadvertently presenting a pathway for malicious bots to harvest user information.

That last one may not be the intention of well-meaning developers looking to help shoppers get the food they need in a timely fashion, but according to Ido Safruti, co-founder and CTO of PerimeterX, these extensions present a series of new risks.

"Shoppers looking to secure highly coveted delivery time slots now have the option of installing browser extensions or using scripts to automate the process," Safruti says. "These often perform tasks beyond what you installed them for. They could be infected or malicious, harvesting personally identifiable information for future use, or logging keystrokes to get passwords and account numbers that you don’t want to share."

Indeed, he says, the increase in bot activity has been noticeable.

"From mid-January to mid-March, food and grocery delivery experienced a 41% increase in traffic – both good and bad," he says. "Bad traffic includes malicious bots that execute attacks including account takeover and Web scraping. We've seen an increase in the volume of attacks, and in the sophistication of bot attacks across sites."

This is a huge challenge for app owners, who lack visibility into third-party activity on the client side, and who in many cases are scaling up startup businesses that were not anticipating serving as lifelines in a global pandemic.

In an email to Dark Reading, an Instacart spokesperson cautioned that independent services and extensions that offer to notify customers about or secure delivery windows on their behalf are in no way affiliated with or authorized by the company. Shoppers should not engage with these services, according to Instacart, especially those that request an Instacart username or password, or credit card information. The company also referenced its own "robust security," but did not specify what measures are being taken to proactively guard against new attacks.

An Amazon spokesperson did not respond directly to the issue of bot-secured delivery slots, but said that in response to demand for its service Amazon Fresh, the company has "rapidly expanded grocery pickup, increased hiring, transitioned select stores to exclusively fulfill delivery orders and more."

Amazon will release "in the coming weeks ... a queueing feature giving customers a virtual place in line to secure time to shop and schedule delivery, allowing for a more equitable distribution of delivery windows," the spokesperson said.

Of course, delivery-scouting extensions are not the only challenge for these services. Instacart recently patched a flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number. A security researcher discovered the vulnerability while using the using the service to buy dog food.

App Cleanup

As these grocery delivery apps work to scale up to handle unforeseen demand, experts say there are steps they should take now to improve security and ensure customers don't experience service disruptions.

Jack Mannino, CEO at app security provider nVisium, suggests that "business logic within checkout and delivery flows should be tested thoroughly as well as ensuring users cannot give themselves a preferential bump in waiting lists or deny other users the ability to put in orders."

Professor William Kresse of Governors State University, an expert in fraud detection who goes by the moniker Professor Fraud, says the app firms should comb their code "line by line, and go through it with a fraudster mindset," to see what might be exploited.

Charles Ragland, security engineer at Digital Shadows, recommends adherence to frameworks like PCI-DSS for services that process financial transactions. And James McQuiggan, security awareness advocate at KnowBe4 urges multi-factor authentication. "Relying on a username and password for protecting the personal information and identity of its customers, which includes names, addresses, and credit card information, has been known to fail for other organizations in the past," he says.

Overall, it's about these app developers being proactive. Expect to see more attacks on delivery services as people continue to rely on having groceries, meals, medicine, and other essentials delivered to their doorsteps. There's  now more money being spent on food and household items than on live entertainment and other previously lucrative fields for hackers. Data from Apptopia showed that from mid-February to mid-March alone, Instacart, Walmart Grocery, and Shipt saw app download surges of 218%, 160%, and 124% respectively.

"Cyberattackers follow the money. As more consumers shop online and use delivery apps, there are more ways for attackers to make money," says PerimeterX's Safruti. "They can take over accounts, create fraudulent accounts, use loyalty points and gift card balances, scrape competitor pricing, hoard coveted products or delivery slots, inject malware into browser extensions, or skim personally identifiable information on payment pages.

"The automated nature of these attacks and their high sophistication levels make delivery apps extremely vulnerable," he says.

 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register
 
Related Content:
Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4035
PUBLISHED: 2020-06-03
In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to...
CVE-2020-13783
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13784
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
CVE-2020-13785
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13786
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.