New scam targeting Australians

What is credential stuffing? A new scam uses leaked data to hack into online accounts and make fraudulent purchases.
What is credential stuffing?

An online forum has alerted authorities to a new scamming technique called credential stuffing.

Breaches against Australian brands like The Iconic were first discovered after users bragged about their scams in internet chat groups.

What is credential stuffing?

Credential stuffing is when cybercriminals use leaked login details to hack into online accounts and make fraudulent purchases. People who use the same login for multiple accounts are more vulnerable to credential stuffing.

Cybersecurity firm Kasada said scammers have claimed to use credential stuffing to defraud customers of brands like Binge, Guzman y Gomez and Dan Murphy’s.

Streaming service Binge denies scammers have breached customer accounts.

Kasada said it found a group on Telegram (an online messaging platform) boasting about using credential stuffing to make fraudulent purchases on several well-known sites.

Telegram group

One scammer shared a photo to Telegram with dozens of parcels purchased fraudulently from The Iconic. Another scammer shared a $700 Dan Murphy’s receipt, after they hacked a customer’s account and placed an alcohol order online.

Popular online retailer The Iconic confirmed some of its customers were impacted by a credential stuffing scheme.

Customer logins were sourced through breaches unrelated to the retailer but gave scammers access to personal information and stored credit card details.

The Iconic said it was working to cancel fraudulent orders and refund impacted customers.

Safety measures

Credential stuffing is becoming more common, according to Kasada. It said any account that enables automatic purchases, such as through saved credit card details, is at risk.

Kasada recommended using a password manager to “generate and store strong passwords for all of your online accounts”.

It also suggested regular software updates and two-factor authentication (when an account requires a second factor, such as a mobile phone code, before granting a user access).

Become smarter in three minutes

Get the daily email that makes reading the news actually enjoyable. Stay informed, for free.

Be the smart friend in your group chat

Join thousands of young Aussies and get our 5 min daily newsletter on what matters in your world.

It’s easy. It’s trustworthy. It’s free.