Thousands of Australians affected by ‘credential stuffing’ scam

After the theft of credit card details by hackers in a large-scale coordinated attack that affected thousands of online shoppers, Anthony Albanese has pledged to investigate all feasible measures to safeguard businesses against scams.

Since November of last year, cybercriminals have targeted large businesses such as Dan Murphy’s, Event Cinemas, and Guzman Y Gomez, gaining fraudulent access to over 15,000 customer online accounts.

Scammers made thousands of dollars in online purchases after buying the stolen login credentials from foreign cybercriminals.

Customers who were impacted either had gift cards or store credit for use on online purchases, or they had saved their credit card information on business websites.

According to the prime minister, cybercrime is a real threat to Australia’s economic security and a “huge issue.”

“We need to make sure they are protected because this is a scourge and there are so many vulnerable people being ripped off who have acted in absolutely good faith,” Mr. Albanese stated on Wednesday.

Sam Crowther, the founder of Kasada, a cybersecurity company that has been monitoring the “credential stuffing” scheme, claimed that online chat rooms were used by cybercriminals to boast about purchasing iPhones, clothes, and nearly $800 worth of alcohol with the money of unwary Australians.

He claimed that most cybercrime organizations are based in Eastern Europe and issued a warning that since the scam is so profitable, more such attacks would undoubtedly occur.

Mr. Crowther told, “This is the first real concerted effort that we’ve seen in Australia.”

This time, however, is distinct because a sizable group that we have been following in the US is now focusing on Australia.

A representative for Dan Murphy stated that because passwords and email addresses were acquired through hacking by third parties, fewer than 100 customer accounts were affected by the fraudulent transactions.

“Our team started working with the impacted customers right away and took immediate action. They stated, “We are still conducting our investigations, with an emphasis on maintaining the security of our systems and the privacy of our customers within our environment.

For comment, we have reached out to Event Cinemas and Guzman Y Gomez.

Despite the name change, the streaming service Binge has stated that none of its “customers have been compromised or are at risk of credit card fraud,” including the one Kasada reported.

According to a spokeswoman, “We have comprehensive cyber security systems in place that manage credit card details off-platform.”

“We have sophisticated systems in place to block, re-set, and notify affected customers, ensuring minimal risk. Our customer accounts are monitored 24/7 for cyber activity that may compromise accounts.”

Significant online retailer The Iconic promised earlier this week to reimburse consumers whose accounts were used to place fraudulent orders after being impacted by the scheme as well.

When hackers attempt to use passwords they have previously stolen from one website on another, it is known as credential stuffing.

Over 94,000 reports of cybercrime were received by Australia’s Cyber Security Centre in the most recent fiscal year, a 23 percent increase from 2021–2022.

On Monday, the Albanese government acknowledged that it had been the victim of the biggest government data breach in the country’s history. The hack came about late last year when hackers with ties to Russia purportedly stole confidential information from numerous departments.

Mr. Albanese brought attention to a number of forums hosted by Assistant Treasurer Stephen Jones, who is looking into additional safeguards against Australia’s increasing vulnerability to cyberattacks.

He declared, “Our top priority is protecting consumers, so we’ll look at any measures that are possible in that regard.”

The best precautions users can take to safeguard themselves, according to Nigel Phair, a professor of cyber security at Monash University, are to monitor their accounts for odd activity and refrain from sharing passwords on various websites.

“The problem lies in the numerous data breaches that have occurred in the past 18 months, and I dare say that there will be more in the future. As a result, the criminals purchase the details that are offered for sale on the dark web and use them to recreate numerous login credentials,” the speaker stated.

“We use the same password repeatedly in several online places, which is why they are successful.”

This ‘credential stuffing’ scam has affected thousands of Australians

A hacking scheme that allows con artists to access online accounts and conduct fraudulent transactions has resulted in thousands of retail customers becoming victims.

Local con artists boasted in an online chat that they had spent nearly $800 on iPhones, clothes, and alcohol with the money of strangers after buying online login credentials from foreign cybercriminals.

Customers impacted by the “credential stuffing” scheme will receive full refunds, according to a statement made last week by the online retailer The Iconic.

According to cybersecurity firm Kasada, the problem is more widespread than first thought.

The scam affected customers who had online accounts with Dan Murphy’s, Event Cinemas, Binge, TVSN, and Guzman y Gomez.

“This is a concerted, targeted effort to hit Australian businesses who haven’t had to deal with this before,” stated Sam Crowther, the founder of Kasada. The amount of activity has increased dramatically over the last few weeks and is still ongoing. The issue will worsen as long as we continue to be a soft target.

According to him, since late November, 15,000 Australian online accounts have been accessed, and the number is growing every day, according to tracking software his company has.

Several people impacted, he said, are unaware of the full scope. Additionally, the company broke into Telegram chat groups where con artists were sharing information about their purchases.

A con artist posted a fake receipt for a $782 fraudulent purchase of alcohol from Dan Murphy’s in one chat group.

Targets of this scanning scheme include people with online gift cards, store credit, or credit card details saved on websites.

Particularly at risk are customers who use the same login credentials for multiple online accounts.

As per the Australian Cyber Security Centre, credential stuffing is a hacking technique wherein cybercriminals attempt to reuse passwords they have previously stolen from one website on another.

That being said, it differs from more extensive hacks that have impacted Medibank Private and Optus.

“These guys work by buying as much as possible as fast as possible before they are noticed or stopped,” Crowther went on.

Some customers of The Iconic complained about purchases exceeding one thousand dollars.

According to Crowther, for about 5% of the total account value, Australian cybercriminals have been buying stolen login credentials from Eastern European cybercriminals on the dark web.

“Cybersecurity is a shared responsibility of us all,” stated Cybersecurity Minister Clare O’Neil. Australians and Australian-owned companies need to be aware of the dangers of credential stuffing.

“Users should take the standard precautions of using strong and unique passphrases for different accounts and enabling multifactor authentication where possible if they are concerned about being caught in these attacks.”

A representative for TVSN acknowledged that “a small number” of consumers had been impacted and that they had been contacted to arrange refunds.

“TVSN has reminded its customers in communications about this matter how important it is to make sure they have a strong, distinct password for every website or account they own.”

She disclosed that there had been no access to TVSN customers’ credit card information.

A representative for Guzman y Gomez added that the business “uses advanced monitoring for such attacks and proactively takes action to defend against cyber criminals to protect our guests, including notifying users of suspicious activity” and that it does not retain credit card information.

Event Cinemas’ spokesman said that while the company “had not experienced recent transactions or activity inconsistent with past trends,” Kasada would be contacted further.

“BINGE customers remain unaffected by credit card scams, including the one reported by Kasada,” a Binge spokesperson continued, adding that no credit card information has been compromised. Our extensive cyber security measures include off-platform management of credit card information.

To minimize risk, we have sophisticated systems in place to block, reset, and notify customers of any compromised accounts. Additionally, we monitor customer accounts around the clock for cyber activity that may compromise accounts.