Food delivery and personal shopping services have seen a sharp uptick in use amid the Covid-19 pandemic, but the number of user accounts available for sale on the dark web has also increased.

This according to research published today by DarkOwl, which has found a notable increase in mentions of food delivery service providers on dark web marketplaces where user accounts are bought and sold, as well as on carding forums, where personal financial data are traded, and on anonymous websites selling illegal digital goods.

Using its tool DarkOwl Vision, the company found a 230% increase in mentions of food delivery and personal shopping services on such platforms between 2019 and 2020.

The items for sale generally take the form of user accounts and passwords, which are typically sold for between $1.50 and $10 each.

The spike in accounts for sale on the dark web has been attributed to the general rise in food delivery use during the pandemic.

“Criminals are capitalising on it,” a DarkOwl researcher tells Verdict. “They’re just seeing that as an opportunity for them to exploit those accounts and leverage the data contained therein to either financially fraud or get some free food.”

Food delivery accounts on sale on the dark web: The worst-hit companies

Notably, while the researchers saw a rise in mentions across the board, some companies were worse hit than others.

UK takeaway platform JustEat had the most mentions, followed by US-based Seamless. Doordash, Instacart and UberEats rounded out the top five.

However, despite JustEat leading the way, the researchers observed that many of the organisations with the biggest rise in dark web mentions compared to 2019 were food delivery companies that were newer to the market.

The most prominent spike in dark web mentions, according to the researcher, was experienced by Caviar, a newer entry into the US food delivery market, which was acquired by DoorDash from Square in 2019 and has since expanded its coverage area considerably.

“Mentions of it in 2019 were quite limited because it was rarely being used,” says the researcher. “So most of the traffic that we saw and observed has all been in 2020.”

They add that the team had been surprised that US major GrubHub had not seen much movement, but attributed this to how much longer it had been operating for.

“It was around in 2018, so it’s almost like a lot of the exploitation of GrubHub, in terms of account stealing and things, were in the 2018 timeframe. So by the time we got to 2020, the hackers are always looking for the latest and greatest, most possibly vulnerable systems, to exploit and/or credential stuff,” they say.

“The new ones that are online like Caviar, they’re going to be the larger numbers merely because it’s a new target.”

From food to money: The motives of criminals sourcing delivery accounts

While there has been a general rise in food delivery accounts for sale on the dark web, what criminals are using these accounts for varies significantly.

For some, the accounts are simply used to order food on the owner’s dime, either using a stored card or account credit, which is perhaps a reflection of the typical age of the perpetrators.

“A lot of this is done by teenagers or younger hackers; what we call skids or script kiddies,” says the researcher.

However, they warn that there is an “uptick in overall activity, in sophistication of activity” given the additional free time that many of this group currently has.

For others, the credentials of such accounts can be traded as a means of improving online status.

“On a lot of the deep web forums, where I wouldn’t say necessarily the most leet hackers reside, accounts trading and/or offering accounts are a form of credibility in the space,” they say. “It’s almost a way of showing that you’re in the business, so to speak.”

Then there are those that use the details as the launchpad for more sophisticated criminal endeavours.

For example, there are those that engage in refund scams to create new gift cards, as well as those that use the credit card information attached to the account for other illegal endeavours.

The information can also be used to conducted “targeted phishing” on the account holders, enabling hackers to gain access to their personal computers and conduct further attacks such as ransomware.

In some cases, such account information can also be leveraged to create larger-scale operations through “advanced techniques”.

“API traffic, exploitation and/or bots, where you can steal orders, steal information, steal whatever you can get your hands on, and then leverage that at scale, and create a larger criminal enterprise or franchise around it.”

The impact on consumers

For many consumers, being impacted by such activity can simply translate into hassle, where they have to regain access to their account and go through the “rigmarole” of having to get money refunded when hackers use their accounts to order food.

However, in other cases, the harm can be far longer lasting and more severe.

“There is obviously the consumer impact of their information being compromised: usernames and passwords and, more importantly, that higher value information like addresses and credit card information that could be used in further attacks or exploited in phishing attacks or creating a new credit cards with that information,” the researcher explains.

It is important, then, for consumers to take every step they can to protect themselves, with one of the most important steps being never to reuse passwords, particularly if they are attached to an account that has already been compromised.

This is because some apparent breaches ultimately turn out to be nothing of the sort – simply hackers reusing login credentials already exposed in a breach to find those with matching emails and passwords on other services – something that Instacart, among others, has experienced.

“This account information, these logins, are obviously being circulated and attempted to be exploited, so consumers just need to be aware and be vigilant about not using those passwords again,” they say.

“And obviously, if you can, don’t save the credit card information or [instead] use a third-party payment system like PayPal, [as] then you probably have a higher probability of security than otherwise.”

Beyond Covid-19: A problem that’s here to stay

As much as this surge has been driven by Covid-19 and the resulting uptick in use of food delivery services, DarkOwl does not expect this trend in credential sales on the dark web to go away once the pandemic is over.

“The vulnerabilities, or at least the market, is there. It’s like any other accounting fraud that’s across the dark net: exploiting accounts en-masse is what these guys do. They like to go after personally identifiable information, credit card information, and food delivery services are a prime target for that,” they say.

“Unless something dramatic changes with the actual supply suppliers and vendors themselves to prevent this exploitation, I don’t see that just dropping off.”


Read more: Deliveroo and Domino’s among most-hacked food delivery companies