This article was originally published in Threatpost on March 13, 2019.
A Sydney man is accused of selling nearly 1 million compromised accounts, for a significant profit.
A Sydney man has been arrested after allegedly selling hundreds of thousands of compromised account details for subscription streaming services, including for Netflix, Hulu and music streaming service Spotify – raking in about $212,000 ($300,000 AUD) in profit in the process.
The Australian Federal Police (AFP) were tipped off to the 21-year-old malefactor’s alleged activities by the FBI last May, as part of an investigation into a now-defunct account generator website called WickedGen.com. He was arrested on Tuesday and his premises raided, according to an AFP statement.
The perp has been charged with offenses relating to the alleged use of false identities and cybercrime; the AFP believes that he compromised more than 120,000 users and sold almost one million sets of account details globally over the course of his cybercrime career.
“This arrest is another example of the value and importance of our relationship with the FBI,” said AFP manager for cybercrime and acting commander Chris Goldsmid, in the statement. “These partnerships – both internationally and domestically – are critical in law enforcement being able to respond to rapidly-evolving and increasingly global crime types.”
The AFP said that WickedGen operated for approximately two years, selling account details for popular online services gleaned via brute-forcing and credential-stuffing efforts. These techniques bet on password reuse; combinations of user names and passwords stolen in past data breaches are tried on other accounts in an automated way, until the right credentials are uncovered for the account at hand.
The unfortunate reality is that credential-stuffing attacks such as the recent Dunkin Donuts incident) have been on the rise thanks to the increasing frequency of credential dumps from various data breaches appearing on the web.
“In 2018, some of the most recognized brands in air travel, hotels, social media, entertainment, retail, restaurants, and credit reporting, among others, made the news for data abuses and breaches,” Usman Rahim, digital security and operations manager for The Media Trust, told Threatpost. “More than a billion consumers around the world were affected. In the EU alone, more than 60,000 breaches have been reported since GDPR went into effect in May 2018. The fact is, many more organizations around the world have been compromised, but most likely remain unaware they’ve been hacked for credential, identity and financial information.”
All of this is fueling an increasingly lucrative underground stolen-accounts scene: “Stolen passwords, email addresses and other user data fuel and finance the Dark Web,” Robert Capps, vice president and authentication strategist for NuData Security, told Threatpost. “This is just one of many operations that sell stolen personal information for money and lots of it. Cybercriminals take these prized credentials and sell them to others who use them to take over accounts, to steal additional information, or to buy goods and services. With the number of data breaches that have taken place, cybercrime has taken off like wildfire around the world.”
David Ginsburg, vice president of marketing at Cavirin, noted that consumers should simply go back to basics to avoid feeling the heat from follow-on attacks stemming from compromised account details.
“This latest leak just reinforces the view that no one should consider any internet account credentials to be secure. Best practices include not to reuse passwords across sites, two-factor authentication, never sharing credentials and staying away from simple, easy-to-guess password combinations,” he told Threatpost. “Many browsers now suggest strong, one-time passwords. This is a good option.”
As for organizations, they should monitor their websites and mobile apps for any unusual or unauthorized activities that could lead to the siphoning of sensitive information that users enter to login or make transactions, according to Rahim. “Soon, they will fall under data privacy laws that levy heavy fines for organizations that fail to secure consumer information,” he said.