Security6.09.2024

Big security problem with e-commerce websites in South Africa

Several e-commerce websites in South Africa appear to be vulnerable to cyberattacks, including password spraying attacks.

Password spraying is a type of brute force attack where a hacker attempts the same password on many accounts before selecting the next password and repeating the process.

This approach helps avoid account lockouts that normally occur when brute forcing a single account with many passwords.

MyBroadband was contacted by two individuals who had hacked online stores, and by a victim whose account was compromised and store credit stolen.

The victim’s story led to several other complaints from people who reported that their store credit was stolen and used to buy MTN airtime.

These cases do not appear widespread, which has allowed attackers exploiting these vulnerabilities to fly under the radar.

Most recently, MyBroadband was contacted by a Western Cape school teacher who said he was playing around with a tool called OpenBullet in his IT class after they had completed the term’s syllabus.

He said they had downloaded a generic credential list from a Telegram channel and tested it against several prominent South African online stores.

Their tests found that Woolworths and Takealot’s application programming interfaces (APIs) were vulnerable to attack. They had also tested Checkers and Incredible’s APIs, but these resisted their brute force attempts.

Although MyBroadband spoke to the teacher on the phone, and could hear the learners in the background, we later learned that his activities may not have been as innocent as he had been letting on.

He later admitted that he was in an anonymous group that had conducted the password spraying attacks. However, he left when the group started planning activities he disagreed with.

Regardless, the teacher’s findings corroborated an earlier conversation we had with a self-proclaimed blackhat hacker.

They claimed to have breached Loot, Takealot, Makro, Checkers, and Pick n Pay.

However, the blackhat was particularly fixated on Loot. He said he contacted the company to disclose a serious vulnerability and received no response.

They also provided a screenshot of a tool called SilverBullet that seemed to be scanning Loot using a list of leaked South African credentials. SilverBullet is similar to the OpenBullet software the teacher said they were using.

The blackhat explained that they look for e-commerce accounts with store credit, which they use to buy items and ship them to a location that can’t be traced to them.

MTN airtime purchases in hacked Takealot account order history

After speaking with the blackhat, MyBroadband was contacted by a reader who said their Takealot account had been hacked, and their store credit used to buy MTN airtime.

MyBroadband forum members soon found a handful of similar complaints online.

The earliest one was on Reddit and dated back to January 2024. Two more people complained on that Reddit post that their accounts had been hit in the exact same way. One was dated April 2024.

While it is curious that all of these complaints involve Takealot and MTN airtime, it is not surprising that Takealot’s name comes up the most for isolated incidents like these.

As South Africa’s biggest online store, Takealot deals with issues like these at a much larger scale than most other local players.

However, the complaints took a turn in June when another such incident was reported on Twitter/X. This time, though, the customer said their account had two-factor authentication enabled.

A similar complaint came from iMod Digital CEO Christopher Mills in July.

Mills said that his Takealot account was automatically locked due to suspicious activity, which turned out to be someone buying MTN airtime with his store credit.

He reset his password, making it extremely long and complex, and Takealot restored his credit. However, 48 hours later, his account had been breached again.

MyBroadband contacted Takealot, Loot, Woolworths, and Massmart for feedback. Woolworths and Massmart responded.

“Our customer call center has confirmed that there was no unusual activity in terms of customer feedback involving fraudulent transactions,” a Massmart spokesperson told MyBroadband.

Woolworths asked for additional information about the teacher’s password spraying attack against its API. However, the teacher has not provided the API endpoint they used, and Woolworths has not commented further.

Loot did not respond to requests for comment, and Takealot did not provide feedback by publication.

However, the teacher told MyBroadband in August that Takealot appeared to have hardened its API to spraying attacks.

An information security expert explained that companies can mitigate password spraying attacks in several ways.

These include offering multifactor authentication, enforcing password complexity, detecting credential reuse via HaveIBeenPwned, and API rate-limiting and password spray detection.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter