Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Malicious Bots Infiltrate Online Food Delivery

With grocery delivery in higher demand than ever, new add-ons have emerged to secure slots for consumers, presenting a new pathway for bad bots to wreak havoc.

In the strange new era of COVID-19, securing a grocery delivery slot can sometimes feel like hitting the lottery. You almost have to blink to believe it's real when you get a slot.

As demand for online grocery shopping has risen, so has the availability of new browser extensions to help shoppers game the delivery system. In recent weeks, developers have released add-ons that perform functions like scanning for and alerting users to delivery slots, completing the checkout -- and inadvertently presenting a pathway for malicious bots to harvest user information.

That last one may not be the intention of well-meaning developers looking to help shoppers get the food they need in a timely fashion, but according to Ido Safruti, co-founder and CTO of PerimeterX, these extensions present a series of new risks.

"Shoppers looking to secure highly coveted delivery time slots now have the option of installing browser extensions or using scripts to automate the process," Safruti says. "These often perform tasks beyond what you installed them for. They could be infected or malicious, harvesting personally identifiable information for future use, or logging keystrokes to get passwords and account numbers that you don’t want to share."

Indeed, he says, the increase in bot activity has been noticeable.

"From mid-January to mid-March, food and grocery delivery experienced a 41% increase in traffic – both good and bad," he says. "Bad traffic includes malicious bots that execute attacks including account takeover and Web scraping. We've seen an increase in the volume of attacks, and in the sophistication of bot attacks across sites."

This is a huge challenge for app owners, who lack visibility into third-party activity on the client side, and who in many cases are scaling up startup businesses that were not anticipating serving as lifelines in a global pandemic.

In an email to Dark Reading, an Instacart spokesperson cautioned that independent services and extensions that offer to notify customers about or secure delivery windows on their behalf are in no way affiliated with or authorized by the company. Shoppers should not engage with these services, according to Instacart, especially those that request an Instacart username or password, or credit card information. The company also referenced its own "robust security," but did not specify what measures are being taken to proactively guard against new attacks.

An Amazon spokesperson did not respond directly to the issue of bot-secured delivery slots, but said that in response to demand for its service Amazon Fresh, the company has "rapidly expanded grocery pickup, increased hiring, transitioned select stores to exclusively fulfill delivery orders and more."

Amazon will release "in the coming weeks ... a queueing feature giving customers a virtual place in line to secure time to shop and schedule delivery, allowing for a more equitable distribution of delivery windows," the spokesperson said.

Of course, delivery-scouting extensions are not the only challenge for these services. Instacart recently patched a flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number. A security researcher discovered the vulnerability while using the using the service to buy dog food.

App Cleanup

As these grocery delivery apps work to scale up to handle unforeseen demand, experts say there are steps they should take now to improve security and ensure customers don't experience service disruptions.

Jack Mannino, CEO at app security provider nVisium, suggests that "business logic within checkout and delivery flows should be tested thoroughly as well as ensuring users cannot give themselves a preferential bump in waiting lists or deny other users the ability to put in orders."

Professor William Kresse of Governors State University, an expert in fraud detection who goes by the moniker Professor Fraud, says the app firms should comb their code "line by line, and go through it with a fraudster mindset," to see what might be exploited.

Charles Ragland, security engineer at Digital Shadows, recommends adherence to frameworks like PCI-DSS for services that process financial transactions. And James McQuiggan, security awareness advocate at KnowBe4 urges multi-factor authentication. "Relying on a username and password for protecting the personal information and identity of its customers, which includes names, addresses, and credit card information, has been known to fail for other organizations in the past," he says.

Overall, it's about these app developers being proactive. Expect to see more attacks on delivery services as people continue to rely on having groceries, meals, medicine, and other essentials delivered to their doorsteps. There's  now more money being spent on food and household items than on live entertainment and other previously lucrative fields for hackers. Data from Apptopia showed that from mid-February to mid-March alone, Instacart, Walmart Grocery, and Shipt saw app download surges of 218%, 160%, and 124% respectively.

"Cyberattackers follow the money. As more consumers shop online and use delivery apps, there are more ways for attackers to make money," says PerimeterX's Safruti. "They can take over accounts, create fraudulent accounts, use loyalty points and gift card balances, scrape competitor pricing, hoard coveted products or delivery slots, inject malware into browser extensions, or skim personally identifiable information on payment pages.

"The automated nature of these attacks and their high sophistication levels make delivery apps extremely vulnerable," he says.

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register
Related Content:
Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...