A Hacker Unlocked Thousands of PickPoint Package Delivery Lockers

An unknown hacker carried out an innovative cyberattack on a post-gateway network at a local delivery service that manages a network of more than 8,000 package lockers across Saint Petersburg and Moscow.

What happened?

A cyberattack aimed at PickPoint, the delivery service for Russian online consumers to track their order, has unfolded some flaws in the service systems.
  • When any package arrives, service users receive an email or mobile notification about it. Using the PickPoint app, users can open the doors of their locker to collect their orders.
  • A hacker reportedly used an unknown exploit in the PickPoint system to open the doors for 2,732 PickPoint's package delivery lockers, exposing thousands of packages to theft.
  • Landlords and guards around the service points quickly intervened and restricted access to the affected lockers, according to social media posts. However, any theft of packages cannot be ruled out.

Blocking the threat

The firm claimed to have detected the attack at an early stage. With immediate remediation work, all 2,732 affected checkpoints were disabled, thus preventing any further damage.

Recent attacks on delivery/tracking services

  • Recently, the food delivery service provider app Chowbus was targeted with a cyber attack, which exposed the personal data on hundreds of thousands of its customers.
  • Staples Inc., the office-retail supplier, revealed that a bug in its order tracking system (possibly Pulse Secure VPN servers unpatched for CVE-2019-11510) led to the exposure of some personal details of its customers.


Concluding notes

By targeting a post-gateway network, cybercriminals have opened the doors for a wide range of new possible attack scenarios. Thus, experts suggest organizations to prevent their delivery and other tracking systems by keeping all the software updated and patched. In addition, using an automated Intrusion detection/prevention system and/or an endpoint solution with file-based or fileless protection could help prevent any risks of cyber tragedies.
Cyware Publisher

Publisher

Cyware