Cybercriminals are increasingly targeting third-party infrastructure that restaurants across the U.S. use to place online orders, private investigators have found.
The last six months have seen hacks of five online ordering platforms, exposing some 343,000 payment cards, threat intelligence firm Gemini Advisory said on April 29. Hundreds of restaurants use the platforms — which include services with names like Easy Ordering, MenuSifu, Grabull and E-Dining Express, according to Gemini Advisory researchers — and crooks seem to know it.
The coronavirus pandemic has only heightened criminals’ interest in online payment systems as people order delivery from restaurants in droves.
“Attacks such as these are appealing because breaching the website of a single online ordering platform can compromise transactions at dozens or even hundreds of restaurants,” Gemini Advisory analysts wrote in a blog post.
One of the breaches tracked by Gemini Advisory saw the attacker use an attack technique known as Magecart, which involves planting malicious code on websites to siphon payment card data. Magecart-style attacks have hit thousands of merchants in recent years, from British Airways to the blender manufacturer NutriBullet.
In this case, Gemini Advisory said the attackers injected malicious code into the website of Easy Ordering in April 2020, giving them access to the platform for the rest of the year. Payment data at least 30 restaurants had “significant exposure” as a result of the hacking, analysts said. Gemini Advisory pinned that incident on the so-called Keeper group, which has reportedly carried out hundreds of Magecart-style breaches.
With the string of hacks of online ordering systems, Gemini Advisory analysts are urging the platforms to pay closer attention to security measures. In the meantime, because it’s lucrative and effective, “cybercriminals will almost certainly continue attacking these merchants,” Gemini Advisory concluded.
Update, May 3, 6:29 p.m. EDT: This article has been updated to include names of all services that Gemini researchers said were affected by the malicious campaign.
Update, May 15, 12:36 p.m. EDT: This article has been updated to include an updated list of vendors that Gemini has named in its research.