DoorDash and Uber Drivers Struggle With Skeleton Staff After Scams
Sophisticated Phishing Campaigns Target Australian Gig Workers Amid Platform Security Gaps
Australian delivery drivers operating on platforms like DoorDash and Uber are reporting significant financial losses following a surge in sophisticated phishing attacks. According to recent reporting by ABC News, perpetrators are successfully intercepting credentials and bypassing multi-factor authentication (MFA) protocols, leading to unauthorized account access and the theft of thousands of dollars in earned wages. These incidents highlight a critical friction point where platform-scale automation meets the vulnerabilities of a gig-economy workforce often lacking enterprise-grade security support.
The Tech TL;DR:
- Credential Harvesting: Attackers are utilizing real-time proxy-based phishing kits to capture session tokens, effectively rendering standard SMS-based 2FA obsolete.
- Operational Bottlenecks: Drivers report that platform support structures are currently insufficient to handle the volume of fraud claims, leaving compromised accounts active longer than necessary.
- Mitigation Strategy: Moving toward hardware-backed security keys (FIDO2/WebAuthn) and implementing rigorous device-binding protocols is essential to curb these unauthorized API interactions.
Anatomy of the Exploit: Beyond Simple Credential Theft
The current wave of attacks relies on adversary-in-the-middle (AiTM) frameworks. Unlike legacy phishing, which merely logs static usernames and passwords, these modern kits act as a transparent proxy between the target and the legitimate platform login portal. When a driver enters their credentials, the phishing server relays them to the actual service in real-time. If the service triggers an MFA challenge, the driver is prompted to enter their one-time password (OTP) or approve a push notification directly into the malicious interface.

Once the session cookie is generated, the attacker captures the session token, bypassing the need for a password entirely. This aligns with findings from the MITRE CWE-287 (Improper Authentication) documentation, which notes that session hijacking remains a primary vector for account takeover (ATO) even when secondary authentication is present. For gig workers, who often manage their accounts via mobile devices with varying levels of security hygiene, this creates a high-risk surface area.
To audit for session integrity or monitor for unauthorized API calls, developers and security researchers often utilize cURL to test endpoint responses. A standard check for session persistence might look like this:
# Testing endpoint response headers for session token leakage
curl -I -X GET "https://api.delivery-platform-example.com/v1/driver/profile"
-H "Authorization: Bearer [SESSION_TOKEN]"
-H "User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X)"
The “Skeleton Staff” Problem and Infrastructure Failure
According to Ms. McMillan, a representative cited in the ABC News report, affected drivers face a compounding crisis: they are losing significant capital while simultaneously struggling to log these issues with platform providers. The reliance on “skeleton staff” for support operations suggests a failure in the platform’s automated incident response lifecycle. In technical terms, the lack of an automated, high-priority ticket escalation path for suspected ATO events allows attackers to drain linked financial accounts before an administrator can revoke access tokens.
Organizations facing similar account security challenges often rely on [Relevant Tech Firm/Service] to perform incident triage and forensic analysis. When platforms fail to provide adequate recovery infrastructure, the burden shifts to the individual, who often lacks the technical apparatus to perform a proper audit of their device’s security posture.
Cybersecurity Triage: What Enterprise Infrastructure Requires
The transition from SMS-based 2FA to hardware-backed security tokens is the only reliable defense against the current class of AiTM phishing kits. Because WebAuthn binds the authentication to the specific origin of the site, a phishing proxy cannot successfully relay the challenge. Companies requiring robust protection for their workforce should consult with [Relevant Tech Firm/Service] to implement identity and access management (IAM) solutions that mandate FIDO2-compliant authentication.

Furthermore, platforms must move beyond simple rate-limiting and adopt behavioral analytics to detect anomalous login patterns. When a session token is used from a new ASN or a different geographical location within an impossible timeframe, the platform’s security orchestration, automation, and response (SOAR) systems should automatically trigger a re-authentication flow or initiate a temporary account freeze.
As noted by cybersecurity researchers, the democratization of phishing-as-a-service (PaaS) platforms has lowered the barrier to entry for these attacks. Without a proactive approach to securing the end-user device—potentially through managed mobile device management (MDM) solutions—the gig economy remains a prime target for high-volume, low-effort credential harvesting.
Forward Trajectory: The Shift Toward Zero Trust
The vulnerability of gig workers to these scams serves as a microcosm for the broader failure of legacy authentication methods. As platforms continue to scale, the reliance on human-in-the-loop support for security breaches is unsustainable. Future-proofing the delivery ecosystem will require a shift toward Zero Trust architectures, where every access request is verified based on identity, device health, and intent, rather than a single, interceptable token.
Disclaimer: The technical analyses and security protocols detailed in this article are for informational purposes only. Always consult with certified IT and cybersecurity professionals before altering enterprise networks or handling sensitive data.