TLDR:
Thousands of Australian customers of popular brands such as Dan Murphy’s and Guzman y Gomez have fallen victim to a hacking scheme known as “credential stuffing.” Scammers are accessing customers’ online accounts and making fraudulent transactions. Leading cybersecurity company Kasada discovered that the problem goes far beyond what was previously known, with accounts from brands including Binge, TVSN, and Event Cinemas also compromised. Kasada’s tracking software showed that 15,000 Australian online accounts had been accessed since late November, and this number continues to rise. Scammers have been purchasing hacked login details from overseas cybercriminals, and some have boasted about using strangers’ money to buy high-value items.
Key points:
- Thousands of Australian customers have fallen victim to a hacking scheme known as “credential stuffing”, which involves accessing online accounts and making fraudulent transactions.
- The problem is more widespread than previously known, with brands such as Guzman y Gomez, Dan Murphy’s, Binge, TVSN, and Event Cinemas among those affected.
- Kasada, a leading cybersecurity company, tracked 15,000 Australian online accounts that had been accessed since late November. The number continues to rise.
- Scammers are purchasing hacked login details from overseas cybercriminals and have used strangers’ money to buy high-value items.
- Customers who save credit card details on company websites or who have online gift cards or store credit are particularly vulnerable.
- Australian fraudsters have been buying hacked login details on the black market from cybercriminals in Eastern Europe for around 5% of the total account value. The modus operandi is to purchase a large amount quickly before it can be noticed or stopped.
- The Australian Cyber Security Centre advises customers to use strong and unique passwords for different accounts and enable multifactor authentication where possible.
- Companies such as Endeavour Group, which owns Dan Murphy’s, have confirmed that their customers have been victims of credential stuffing fraud.