50,000 Credit Cards Stolen from On-Line and Touch Screen Restaurant Menus | Ron Benvenisti

Online ordering platforms for restaurants offer the convenience for customers to make online food orders as well as in-store touch screen menu choices and payments. This allows restaurants to outsource the burden of developing an ordering system. High end online ordering systems such as those used by Uber Eats and DoorDash dominate the market, there are also hundreds of smaller online ordering platforms that serve small, local restaurants.

These smaller scale platforms could service hundreds of restaurants as clients. Online ordering platforms have become a high-value target for cyber threat actors conducting Magecart e-skimmer attacks because compromising a single online ordering platform typically results in the exposure of online transactions performed at a significant portion of other restaurants that also use the platform.

Two active Magecart campaigns are targeting restaurants using MenuDrive, Harbortouch, and InTouchPOS online ordering services. At least 50,000 credit cards were compromised and listed for sale on the dark web, impacting over 300 small businesses.

Magecart attacks are web-based credit card skimming operations in which malicious JavaScript code is injected into the payment portals of websites or third-party dependencies to steal credit card data as customers complete the checkout process.

Since November, a campaign has targeted InTouchPOS with a card skimmer that overlays a fake payment form onto the shopping cart’s checkout page.

MenuDrive and Harbortouch are targeted in a separate campaign that began in January. In these attacks, card skimming malware is implanted into both the restaurant’s website and its subdomain on the online payment service’s platform. On MenuDrive, threat actors use two different scripts to harvest credit card information and the cardholder’s name, email address, and phone number. A single script is used on Harbortouch to collect the same information.

Attacks against all three platforms are ongoing.

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.


  1. One recent victim of the restaurant, touch-screen credit card fraud told reporters on Monday, “It’s crazy, I looked at my credit card statement, and I noticed 65,000 orders of hamburgers and 95,000 orders of french fries were recently charged to my credit card!”
    The victim added: “I’m no fool, I’ve heard of restaurant credit card fraud, but 65,000 hamburgers! Come on, that’s insane!”
    “I definitely love fast food,” the victim went on to say, “in fact I eat all of my meals at the fast food joint right around the corner, but I can’t eat 65,000 hamburgers in one shot; I can’t even that much over the course of a year, even without the buns!”
    Investigators are still searching for the perpetrators of this crime. However, online detective, Mr. George Clickstein, issued a statement on Monday asking all online restaurant customers to be on the lookout for a heavy-set fellow carrying roughly 75,000 orders of hamburgers and approximately 94,000 orders of french fries in a black and white knapsack, slung around his shoulder.
    “Initial reports indicate that there is plenty of grease oozing out from his knapsack,” Detective Clickstein said. “Also, if you think you’ve spotted the suspect, make sure to analyze his chin, because we’ve had reports of a man in his late 30s carrying an oversized knapsack with tons of grease dripping down his chin.”
    Mr. Clickstein also shot down online rumors that the man behind this massive hamburger theft is none other than the six-time champion of the Nathan’s Hot Dog Eating Contest, Takeru Kobayashi.
    “No, it’s not him, the online detective said, “he’s into hot dogs – burgers, not so much. And he doesn’t need to steal the burgers. He gets free offers all the time.”

  2. FYI: Any point of sale system could be breached. If Target, Walmart and Amazon could be huge famous hacks kal v’chomer so can Mom & Pop stores. Most stores I can see are taking orders online these days.

Comments are closed.