Major brands hit by credit card scam

NCA NewsWire

16 January 2024 at 5:22 pm·4-min read

PRIME MINISTER SYDNEY — Mr Albanese said hacks from both domestic and foreign sources represented a real threat. Picture: NCA NewsWire / Gaye Gerard

Anthony Albanese has vowed to look at any measures possible to protect businesses from scams after thousands of online shoppers had their credit card details stolen by hackers in a major coordinated attack.

Large businesses including Dan Murphy’s, Event Cinemas and Guzman Y Gomez were targeted by cybercriminals who fraudulently accessed over 15,000 customers online accounts since November last year.

Scammers who purchased the stolen login details from overseas cyber-criminals then racked up thousands in online purchases.

Impacted customers had either saved their credit card details on company websites or have gift cards or store credit for online purchases.

The Prime Minister said cyber crime was a “huge issue” and represented a genuine threat to Australia and its economic security.

“This is a scourge and there are so many vulnerable people being ripped off who’ve acted in absolutely good faith and we need to make sure they are protected,” Mr Albanese said on Wednesday.

Founder of cybersecurity firm Kasada Sam Crowther who has been tracking the ‘credential stuffing’ scheme said cyber criminals took to online chat rooms to brag about buying iPhones, clothing and almost $800 of alcohol using unsuspecting Australian’s money.

He said the majority of online crime groups are being run out of Eastern Europe and warned similar attacks would follow given the strong financial viability of the scam.

“This is the first real concerted effort in Australia that we’ve seen,” Mr Crowther told NCA NewsWire.

“What’s different this time is this is a large group we’ve been tracking in the US who are now turning their sites to Australia.”

Scammers took to WhatsApp to share photos of purchases made with stolen funds. Picture: Supplied.

A Dan Murphy’s spokesperson said less than 100 customer accounts were impacted by the fraudulent transactions as a result of email and passwords being obtained through third party breaches.

“Our team took immediate action and has been working with affected customers. Our investigations are ongoing, with a focus on the continued security of our systems and customer personal information within our environment,” they said.

Both Event Cinemas and Guzman Y Gomez have been contacted for comment.

While streaming service Binge was originally named, it has confirmed that its “customers remain unaffected by credit card scams including the one reported by Kasada and no credit card details have been compromised”.

“Credit card details are managed off-platform as part of the comprehensive cyber security systems we have in place,” a spokeswoman said.

“Our customer accounts are monitored 24/7 for cyber activity that may compromise accounts and we have advanced systems in place to block, re-set customer accounts, and notify affected customers, ensuring minimal risk.”

Major online retailer The Iconic was also hit by the scheme and vowed earlier this week to refund customers whose accounts were used to place fraudulent orders.

Credential stuffing refers to when hackers use previously stolen passwords from one website and try to reuse them elsewhere.

Guzman Y Gomez is a business which was hacked. Picture: Kevin Farmer

Australia’s Cyber Security Centre received over 94,000 reports of cybercrime over the past financial year, an increase of 23 per cent from 2021-22.

The Albanese government admitted it fell victim to the nation’s largest ever government data breach on Monday after a hack allegedly carried out Russian-linked cybercriminals stole sensitive data from dozens of departments late last year.

Mr Albanese flagged a series of forums held by the Assistant Treasurer Stephen Jones who is investigating further measures to protect Australia from the growing threat of cyber attacks.

“We’ll look at any measures that are possible in order to protect consumers because that’s our priority,” he said.

Dan Murphy's liquor store at Blacktown. Generic Blacktown photos. Picture: Supplied — Dan Murphy's was also hit by the attack.

Monash University cyber security professor Nigel Phair said the best thing customers can to do protect themselves is to check their accounts for unusual activity and avoid reusing passwords across multiple websites.

“The issue is we’ve had all these data breaches over the last 18 months and dare I say there will be more coming into the future, and because of that, the criminals buy the details that are for sale on the dark web and replay them into all these different logins,” he said.

“The reason they are successful is because we reuse the same password over and over again in multiple online locations.”