04 / 29 / 2021
The dark web marketplace for stolen payment cards has been transitioning from the Card Present (CP) space to the Card Not Present (CNP) space for years, meaning that cybercriminals increasingly target online transactions instead of in-person purchases. This has accelerated during the lockdown measures related to COVID-19 since the volume of CNP transactions spiked at the expense of CP transactions. Restaurants are the latest example of this trend. They were formerly largely targets of CP fraud, but hackers have now set their sights on online ordering platforms.
In the past 6 months, Gemini has reported on breaches of 5 companies that serve as online ordering platforms for restaurants through centralized platforms. These breaches resulted in compromised payment cards offered for sale on the dark web. They operate in two different models. Three of the affected platforms — including Easy Ordering and E-Dining Express — operate as individual restaurants’ actual ordering infrastructure for placing orders. In this first model, the platforms are offered alongside physical restaurant point-of-sale (POS) solutions. Cybercriminals can steal directly from the restaurants relying on these platforms for payment, and exposed transactions from at least 70 different restaurants during this breach.
Two of the platforms — Grabull and another that Gemini will not name at this time— operate as additional third-party ordering infrastructure for hundreds of participating restaurants to complement the restaurant’s infrastructure, like regional versions of popular services such as Grubhub and DoorDash. In this second model, any of the restaurants that saw orders placed through the platforms would have indirectly had payment card data stolen as a result of the infection. The median prices of the stolen records from all 5 platforms offered for sale on the dark web ranged from $5-$10 depending on the breached online ordering platforms, and they primarily affected US-based banks.
The following 3 online ordering platforms operate under the first model of a third-party service operating as the restaurant’s own infrastructure for processing transactions. They operate alongside POS systems and basically centralize the function of online ordering, but decentralize the transaction processing. The order and payment card information is entered via the restaurant’s portal, which is hosted on the service provider’s domain. Once completed, the order and payment card details are forwarded to the restaurant for acceptance and processing via the restaurant’s POS system, which results in a CNP transaction using the restaurant’s merchant information. Since these platforms use a single domain, malicious actors can simply infect the core scripts, resulting in card skimmer injection into the payment forms for all supported restaurants. Gemini analysts detected such an attack against 1 of the 3 online ordering platforms.
Easy Ordering is a China-based company that is resold in the United States, primarily through the company McPOS in Chicago, Illinois. Gemini noted that the easyordering.com domain had 160 restaurant-specific URLs. This company also primarily caters towards Asian cuisine and its breach led to the exposure of 61,000 payment cards. Analysts confirmed 30 different restaurants exposed in this breach with exposure windows ranging from May 2020 to January 2021.
Gemini identified a malicious payload that infected Easy Ordering’s site in April 2020 and continued through the end of the year. The script appeared to affect the entire platform. The 30 restaurants confirmed by Gemini had the most significant exposure, but the rest of the 160 restaurants may have been infected as well, albeit with lower levels of exposure. Analysts linked this attack to the “Keeper” Magecart group, a sophisticated hacking team linked to hundreds of Magecart attacks that Gemini has previously covered in a public report.
Image 1: Screenshot of Easy Ordering platform.
Image 2: Locations of restaurants compromised through the Easy Ordering breach.
The second of these online ordering platforms has locations in the New York area, as well as California, Georgia, and Texas and primarily caters towards Asian cuisine. Its breach exposed over 40,000 payment card records from 11 different restaurants, with exposure windows ranging from April to December 2020. Additional locations beyond these 11 may have been affected as well.
Image 4: Locations of restaurants compromised through this unnamed platform’s breach.
E-Dining Express has its headquarters in Newburyport, Massachusetts. The exposed cards reflected a high concentration in the nearby Boston, Massachusetts metropolitan area. It caters towards pizzerias and Italian restaurants, and its breach led to the exposure of 174,000 payment card records. Follow up analysis confirmed transactions at 26 restaurants primarily in the Boston, Massachusetts area, though a high concentration of cards in Princeton, Minnesota was identified with the only known E-Dining Express merchant in that area. The exposure window for records in this breach spanned from March 2020 to February 2021. Through open-source research, analysts discovered 730 restaurant-specific URLs on the ediningexpress.com domain, representing the potential for a much wider list of compromised points of purchase (CPPs).
Image 5: Screenshot of E-Dining Express platform.
Image 6: Locations of restaurants compromised through the E-Dining Express breach.
The following 2 merchants use the second model of third-party ordering and transaction processing. In this model, the online ordering service providers take the online orders at hundreds of local restaurants, collect the payment information, and process the transactions on their own system with their own Merchant Name and Merchant IDs (MIDs). This is the more common model used by restaurant ordering and delivery service providers such as DoorDash and Grubhub.
The first of the restaurants, which Gemini will not name at this time, offers a centralized online ordering platform for hundreds of restaurants largely in the midwestern states. Geographic information in the payment card records reflects primary exposure in the urban centers where the service is offered, encompassing 24 cities across 6 states. Its breach from March 2020 to March 2021 exposed 27,000 payment card records.
Image 8: Locations of restaurants compromised through breach of the merchant referenced above.
The major cities where this online ordering platform operates are listed in the table below.
|Online Ordering Platform’s Major Cities|
|Minnesota||Wisconsin||North Dakota||South Dakota||Iowa||Colorado|
|Alexandria||Fox Cities||Bismarck||Rapid City||Des Moines||Grand Junction|
|Brainerd||Green Bay||Fargo||Sioux Falls||Sioux City||Montrose|
Grabull is a food-ordering service company based in Woburn, Massachusetts. Its service allows customers to select from 88 restaurants based on the cuisine and its proximity to the user’s chosen address. The platform offers discounts and coupons as well as user ratings for each restaurant. Orders can be placed via the web-based platform or through the company’s iPhone and Android applications. Gemini’s analysis of recent card listings indicated a continued breach of the platform with several distinct installments of records added to the dark web. The exposure window ranged from August 2019 to December 2020, and the running total for compromised Grabull records is nearly 41,000 cards.
Image 9: Screenshot of Grabull ordering platform.
As can be seen across all five online ordering platforms, there is a tendency for geographic concentration in the vicinity of the service providers’ headquarters. There are 2 reasons for this: the provider either intended to offer services in a specific geographic area , or it has a higher number of local restaurants utilizing the platform (possibly due to earlier and more focused marketing in the vicinity of their headquarters). The geographic distribution affected most regions of the United States (as well as western Canada), although the highest concentrations were in New England and the Midwest.
Image 10: Significant concentrations of exposed records by online ordering platforms. (Different colors represent different providers).
The slew of breaches targeting online ordering platforms for various restaurants indicates that cybercriminals have discovered a particularly attractive attack vector. Attacks such as these are appealing because breaching the website of a single online ordering platform can compromise transactions at dozens or even hundreds of restaurants. Due to the lucrative nature of successful breaches of online ordering platforms, cybercriminals will almost certainly continue attacking these merchants.
The online ordering platforms themselves can mitigate the damages of these attacks by investing more heavily in their security, including better firewalls and routine monitoring for malicious scripts or inappropriate access. Individual restaurants can also pick their online ordering platforms with specific attention to the platform’s security posture; some larger companies are capable of and willing to invest in security in a greater capacity than many smaller ones. While the risk to online ordering platforms is here to stay, awareness of the latest threats and proactive investment in cybersecurity can reduce the chances that a particular platform will be breached.
Monitoring services, such as Gemini Advisory’s Magecart Overwatch, scour the web for digital skimming attacks to provide real-time breach notifications. Insight into specific threat actors, in this case, the Keeper Magecart group, allows companies to stay one step ahead of their potential attackers. It is the combination of strong security and agile intelligence, along with general awareness, that best positions companies to safeguard their infrastructure, protect customer data, and establish trust in their brand. Gemini’s position as a digital skimming expert and intelligence contributor to the financial services industry offers us the unique opportunity to leverage information from both the malware and financial transaction sides of card skimming.
Editor’s Note: Gemini has updated this blog post to better accommodate the sensitive nature of this breach and ongoing incident investigations by the affected parties.
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.