Breached Online Ordering Platforms Expose Dozens of Restaurants

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

Background

The dark web marketplace for stolen payment cards has been transitioning from the Card Present (CP) space to the Card Not Present (CNP) space for years, meaning that cybercriminals increasingly target online transactions instead of in-person purchases. This has accelerated during the lockdown measures related to COVID-19 since the volume of CNP transactions spiked at the expense of CP transactions. Restaurants are the latest example of this trend. They were formerly largely targets of CP fraud, but hackers have now set their sights on online ordering platforms.

In the past 6 months Gemini has reported on breaches of 5 restaurant services companies that resulted in compromised payment cards offered for sale in the dark web. These breaches exposed approximately 343,000 compromised payment cards and affected 70 restaurants out of the more than 900 restaurants downstream from the platforms. Their median prices ranged from $5-$10 depending on the breached restaurant service company, and they primarily affected US-based banks. All 5 companies offer online ordering through centralized platforms. These services operate according to two different models. The first model is a third-party service that the restaurant uses as its own infrastructure for placing orders. These platforms are offered alongside physical restaurant point-of-sale (POS) solutions. The second model is a third-party service that operates as an additional option to complement the restaurant’s infrastructure, like regional versions of popular services such as Grubhub and DoorDash.

Gemini observed 3 restaurant services companies operating under the first model. They operate alongside POS systems and basically centralize the function of online ordering, but decentralize the transaction processing. The order and payment card information is entered via the restaurant’s portal, which is hosted on the service provider’s domain. Once completed, the order and payment card details are forwarded to the restaurant for acceptance and processing via the restaurant’s POS system, which results in a CNP transaction using the restaurant’s merchant information.

The other two online ordering service providers take the online order, collect the payment information, and process the transaction on their own system utilizing their own Merchant Name and Merchant ID (MID). This is the more common model seen in use by restaurant ordering and delivery service providers such as DoorDash and Grubhub.

Key Findings

• In the past 6 months Gemini has reported on breaches of 5 restaurant services companies that offer online ordering through centralized platforms. This has led to the exposure of approximately 343,000 payment cards.
• Three of the affected platforms operate as individual restaurants’ actual ordering infrastructure and exposed transactions from at least 70 different restaurants. Two of the platforms — one of which is Grabull — operate as additional third-party ordering infrastructure for hundreds of participating restaurants. Both of these two models allow cybercriminals access to payment card transactions from customers ordering from participating restaurants in the event of a breach.
• As can be seen across all five restaurant service providers, there is a tendency for geographic concentration in the vicinity of the service providers’ headquarters. The breaches affected most regions of the United States, although the highest concentrations were in New England and the Midwest.
• Attacks such as these are appealing because breaching a single website can compromise transactions at dozens of restaurants. Due to the lucrative nature of successful breaches of online ordering platforms, cybercriminals are likely to continue attacking these merchants.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.