There was a security incident in mid-January at the online mail-order pharmacy DocMorris, which has its headquarters in the Netherlands. During the attack, unknown perpetrators had changed the addresses of customer accounts and ordered medicines on their behalf. About 20,000 accounts were affected by the incident, according to DocMorris.
In some cases there were “orders to changed delivery addresses”. To be on the safe side, DocMorris blocked the affected accounts and informed the customers via letters and e-mails. The responsible data protection officers in Berlin and the Netherlands already know about it, as the data protection authority in Berlin informed heise online.
Doubts about credential stuffing
DocMorris justified the blocking and the incident to customers with the use of insecure and multiple-use passwords:
Our web shop was the target of a so-called credential stuffing attack. This digital attack used computer programs to randomly attempt to log into Docmorris customer accounts using credentials stolen elsewhere. The attackers take advantage of the fact that access data for online services is unfortunately often used more than once by users. Apparently that was also the case with your customer account […]
Information from DocMorris on new access data
heise online had received information that people who had used one-time passwords for their customer accounts and a password manager were also affected. In these cases, the attackers did not know the passwords, according to DocMorris. When asked, DocMorris added to his statement: “To protect our customers, access was blocked for all accounts where a login was carried out during the attacks”. This could explain the astonishment of some affected customers.
Recent switch to prepayment
In the context of the fraud cases, DocMorris limited its payment methods to prepayment a few days ago. Previously, customers could also buy products on account, as Apotheke Adhoc reports. Recently, however, both methods are no longer offered. “In order to protect our customers and ourselves, we are currently offering more payment methods that are less frequently associated with fraud. In addition to the currently restricted payment by invoice and direct debit, we offer our customers many other payment methods for their orders (Paypal, credit card, Paydirekt , Barzahlen/Viacash, Klarna with immediate transfer)”, explained a DocMorris spokesman.
Increased attacks with credential stuffing
Successful brute force attacks in which cybercriminals test access data have been more frequent in the recent past. 35,000 Paypal customers were recently affected by such an attack. Countless NortonLifeLock customers have also suffered unauthorized access due to cracked access data. If you want to check whether an e-mail address has already been published, you can, for example, Have I Been Pwned.
(mack)
