UK Cybercrime Journal: Argos Account Takeover Fraud
UK Cybercrime Journal: Argos Account Takeover FraudWhat HappenedOn 3 June 2026, the City o 2026-7-1 08:10:3 Author: blog.bushidotoken.net(查看原文) 阅读量:10 收藏

UK Cybercrime Journal: Argos Account Takeover Fraud


What Happened

  • On 3 June 2026, the City of London Police issued a warning stating Report Fraud has seen a significant increase in cases mentioning the retailer, reflecting how criminals are targeting well-known brands.
  • Report Fraud, which is run by the City of London Police, warned that cybercriminals are using leaked credentials from historical data breaches to hijack Argos user accounts.
  • Once on the account, the fraudsters order and then collect the goods in-person at a physical store. In some instances, the goods are paid for using payment details not connected to the victim of the compromised account.
  • Notably, the goods from fraudulent orders are often claimed via Click & Collect option that Argos allows, enabling the threat actors to retrieve goods in store.
  • In May, Report Fraud received 652 reports which mention Argos, a 323% increase compared to April, when 154 reports mentioning the retailer were made. Since the start of 2026, there have been 1,175 reports mentioning the retailer, with May seeing the highest number to date.
  • This alert is also not the first raised about Argos. On 18 November 2025, the East Midlands Cyber Resilience Center issued a warning about Argos and Currys accounts getting compromised and unauthorised purchases being made. In some instances, particularly with Currys, the Buy Now Pay Later (BNPL) option was used, leaving the account holder with finance plans in their names.

Analyst Comment

For both everyday UK consumers and UK retail risk teams, these alerts provide several layered insights. Retailers have spent years optimising Click & Collect to be as frictionless as possible to compete with online shopping giants like Amazon. However, this alert shows how Click & Collect can be a security liability. As Argos allows quick collections, criminals can buy an item online and pick it up at a local store before the real account owner notices an order confirmation email.

The police alerts also note that the items may even be paid for using payment details not connected to the victim. Criminals are mixing stolen accounts with stolen credit cards. This is likely due to an established Argos account with a multi-year history buying expensive items would look pretty normal to a fraud detection engines.

The combination of an Account Takeover (ATO) and Buy Now Pay Later (BNPL) fraud creates a difficult scenario for retailers, credit providers, and consumers. The regulatory and reputational fallout for a retailer under the rules of the UK Financial Conduct Authority (FCA) could be severe. If a retailer's poor account security allows fraudsters to easily spin up a finance plan in a victim's name, the FCA will view this as a systemic failure to protect consumers, resulting in massive fines.

These attacks are possible due to the practice of Argos users who are reusing the same previously leaked password across multiple accounts, plus users not having multi-factor authentication (MFA) turned on in their account settings. 

Campaigns like this can trigger a reputational hit to retailers as victims often do not suffer silently. They take to social media to share stories and the public narrative can shift to being about a retailer who is complicit in disrupting innocent people's financial lives.

Defensive Takeaways

  • User Account Hygiene Best Practices: Standard practices such as rotating passwords, using complex password, using a different password per service, using a password manager, using passkeys, and turning on MFA would all help mitigate this type of threat for users.
  • Credit Monitoring: If a user suspects their account has been compromised, they should consider using a credit monitoring service to help prevent unauthorised loans taken out in their name.
  • Cancel and Replace Payment Cards: If a user suspects their payment card data has been stolen, then they should contact their financial institution and have it cancelled and replaced.
  • Implement Click-and-Collect Controls: Retailers with click-and-click options should introduce controls such as requiring ID of the account owner or a single-use QR code or PIN via SMS/Email at the point of collection for high-value items to prevent this type of fraud.
  • Detecting Credential Stuff Attacks: If the cybercriminals were using credential stuffing attacks, then retailers should be able to detect unauthorised password guessing attempts against their online portals. It is recommended to use IP context analysis and perform source IP correlation. If one IP address tagged as a proxy or VPN is observed attempting to login to dozens of accounts simultaneously, then there’s an issue.
  • Leverage Stripe’s FT3 framework: If your organisation or team is tasked with combating fraud, then categorising these scammers TTPs is crucial. That’s why Stripe has developed the Fraud Tools, Tactics, and Techniques (FT3) framework. It’s designed to help security teams understand the landscape, spot gaps, develop detections, improve incident response, and foster collaboration.

Relevant Sources

  1. https://www.cityoflondon.police.uk/news/city-of-london/news/2026/june/report-fraud-alert-warning-for-argos-shoppers-after-323-per-cent-spike-in-fraud-reports-mentioning-the-retailer/report-fraud-alert-warning-for-online-shoppers-after-spike-in-criminals-gaining-unauthorised-access-to-retailer-accounts/
  2. https://www.emcrc.co.uk/post/currys-and-argos-account-warning-issued-by-police

Social Media Intelligence (SOCMINT)

  1. https://www.reddit.com/r/LegalAdviceUK/s/NbOWRfzvgm
  2. https://www.reddit.com/r/Argos/s/6uOo52UpHf
  3. https://www.reddit.com/r/Argos/s/eZTgBhhNzp
  4. https://x.com/donnaeenichols1/status/2060321697996161165
  5. https://x.com/lottyburns/status/1983581827127259558

Relevant CTI Resources

  1. https://www.cloudflare.com/learning/bots/what-is-credential-stuffing/

Popular posts from this blog

Ransomware Tool Matrix Project Updates: May 2025

Image

Introduction This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM) .  Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be.  It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continue to maintain these projects as long as ransomware is still around.  For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London . Background on the current ransomware ecosystem as of May 2025 Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual.  The e...

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Image

Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-sprea...

Lessons from the BlackBasta Ransomware Attack on Capita

Image

Introduction When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach.  The aim of this blog is to extract actionable cybersecurity lessons from the ICO’s findings as well as open source reports surrounding the breach from a cyber threat intelligence (CTI) analyst’s perspective to help SOC and CERT teams, and CISOs understand what happened and how to avoid the mistakes made by others. BLUF Incident Impact Summary: Capita was attacked by BlackBasta ransomware in March 2023 Over six million individual’s records were exfiltrated from Capita’s systems A £14 million fine was issued to Capita by the ICO Capita said in May 2023, the incident cost up to £20 million to recover Important context about Capita The Capita Group is a business process outsourcing (BPO) and professional servic...


文章来源: https://blog.bushidotoken.net/2026/07/uk-cybercrime-journal-argos-account.html
如有侵权请联系:admin#unsafe.sh