Hackers defraud 165,000 Just Eat customers through phishing emails

Hackers defraud 165,000 Just Eat customers through phishing emails

Hacker behind Just Eat phishing scam sentenced to 10 years by UK court

Grant West and Rachael Brooks are facing jail time for conning hundreds of thousands of Just Eat customers out of their personal data in 2015 by sending them phishing emails that looked like Just Eat survey emails.

The couple using the phishing scam to obtain personal and financial details of thousands of Just Eat customers before selling such details to fellow cyber criminals on the Dark Web.

After obtaining details of Just Eat customers by hacking into a server owned by the firm, Grant West and Rachael Brooks sent out phishing emails to hundreds of thousands of people, asking them to respond to a survey and to fill in their personal and financial details in a form in exchange of ten-pound rewards.

Widespread phishing scam

The campaign worked flawlessly for the couple- for they were able to con as many as 165,000 Brits out of their personal and financial details like names, addresses, email addresses, passwords, and CVV numbers. These details were them put up by the couple for sale on the Dark Web.

Just Eat had to spend in the range of £210,000 in mitigation costs after the fraudulent campaign was discovered. The couple has admitted to the crime before the Southwark Crown Court.

“They wanted to carry out fraudulent actions. This was a sophisticated and organised agreement and planned. It is not suggested that this defendant was the mastermind, that was Grant West. He pleaded guilty and can rightly be called an expert.

“Just Eat is an online delivery company. It holds a database which has the confidential details such as names and payment records. The defendant was involved in the hacking into the database. Then the fraud was then the use of email addresses to send out, ‘phishing emails’,” said Kevin Barry, the prosecutor.

“The customers were asked to complete a survey, but the emails were never sent back to Just Eat. They went to the fraudsters. This data was then used to get more information about the Just Eat customers. Complete sets of information are known as, ‘Fullz’. This is then used by the criminal minded to carry out fraud.

“It is of intrinsic value to them and often traded in massive quantities. When on the Dark Web each data is given a value, and this can be just a few pence or thousands of pounds. The prosecution say that was the ultimate purpose of the fraud. They wanted to benefit from selling personal details,” he added.

Mitigating the damage

Following the couple’s conviction, Just Eat said that it doesn’t store customer card details on its website and that all payments are managed securely by an independent, external payment service provider.

It added that while both Just Eat customers and non-customers were affected by the phishing scam, none of its systems were compromised or breached.

Just Eat isn’t the only food delivery service that has been targeted by hackers. In late 2016, suspected hackers gained access to Deliveroo customers’ accounts and used such accounts to purchase food from the app. Deliveroo allowed customers to store their payment information in the app and the same was exploited by the hackers.

“These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone’s account,” the firm said.

Copyright Lyonsdown Limited 2021

Top Articles

COO of network security firm indicted for hacking into hospital network

A 45-year-old Chief Operating Officer of network security company in Atlanta, Georgia was indicted this week for launching a cyber attack on Gwinnett Medical Center.

McDonald's data breach: Employee and customer data stolen by hackers

McDonald's suffered a data breach that compromised the personal information of customers in South Korea and Taiwan and business contact information of some US employees.

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]