‘Credential stuffing’: Australian retailers hit by new cyber fraud scheme

Several major Australian retailers and their customers have been targeted by wide-scale coordinated cyberattacks that stole their online information and made fraudulent transactions.

Cybersecurity company Kasada recently revealed that cybercriminals have compromised more than 15,000 customer accounts of Mexican fast food chain Guzman y Gomez, liquor retailer Dan Murphy’s, streaming service Binge, home shopping network TVSN and Event Cinemas since November.

Local scammers had purchased the stolen login details from overseas cybercriminals then racked up thousands in online purchases.

This method is referred to as ‘credential stuffing’, in which hackers use passwords previously stolen from one website and try their luck reusing them on others. This scheme targets customers who save their credit card details on company websites, especially those using the same login details for multiple online accounts.

Kasada founder Sam Crowther said his company had infiltrated chat groups where scammers shared details of their fraudulent purchases.

Many affected customers and companies are probably not aware of the extent of the fraudulent activity, he added.

According to the Sydney Morning Herald, Dan Murphy’s and TVSN had confirmed “a small number” of customers were victims of credential stuffing and that they are taking actions to deal with the issue.

Meanwhile, a Binge spokesperson said its customers were not affected as credit card details are managed off-platform as part of a “comprehensive cyber security system”. 

Prime Minister Anthony Albanese said cybercrime was a “huge issue” and represented a genuine threat to Australia and its economic security.

“This is a scourge and there are so many vulnerable people being ripped off who’ve acted in absolutely good faith and we need to make sure they are protected.

“We’ll look at any measures that are possible in order to protect consumers because that’s our priority.”

Belinda Jonovska, chief operating officer at payment ecosystem Waave, told Inside Retail that the liability of the fraudulent transactions will likely sit with businesses after these attacks.

“For merchants trying to recreate a friction-free experience, having a card on file generally means a ‘one-click’ checkout… Today’s news raises the question of whether merchants are equipped to deal with the cyber security of legitimate passwords being used.”

Last week, fashion retailer The Iconic promised to refund customers after fraudulent orders were made on their accounts. The company said it saw an increase in fraudulent login attempts on its site but denied any data breach.

You have 7 articles remaining. Unlock 15 free articles a month, it’s free.