[BreachExchange] Sydney man allegedly made $300K selling stolen account logins

Destry Winant destry at riskbasedsecurity.com
Mon Mar 18 09:47:40 EDT 2019


If you ever log into your Netflix profile and wonder why it keeps
suggesting you watch shows you’ve never heard of, something fishy might be
going on.

A Sydney man has been arrested after allegedly selling stolen subscription
details for services including Netflix and music streaming service Spotify,
to the tune of about $300,000 in profit.

The Australian Federal Police were alerted to the 21-year-old’s alleged
activities via a website WickedGen.com by the FBI in May last year. The
website has since been taken down.

The account generator operated for about two years, selling details stolen
from unknown victims in Australia and abroad for popular online services
like Spotify and Netflix.

Last week news.com.au reported on the thriving underbelly of the internet
where account login details and stolen passwords to popular online services
are advertised for sale at a fraction of the official cost.

The Sydney man’s arrest is the latest example of how online fraudsters are
making serious money by pilfering passwords and login details from
unsuspecting users.

Investigators allege the account details were obtained through “credential
stuffing”, in which a list of previously-stolen or leaked usernames, email
addresses and corresponding passwords are re-used and sold for unauthorised

Before the website was shut down, it claimed it had more than 120,000 users
and almost one million sets of account details.

“Police will allege the administrator of WickedGen made an estimated
AUD$300,000 selling the stolen account subscriptions through this website,
and other similar sites identified through the course of investigations,”
police said in a statement this morning.

On Tuesday detectives seized electronic material and cryptocurrencies
during a raid on a home in Dee Why, on Sydney’s northern beaches.

The 21-year-old man was charged with multiple cybercrime offences and the
alleged use of false identities. The most serious of those charges carry a
maximum penalty of 20 years imprisonment.

Police cybercrime manager and acting commander Chris Goldsmid said stolen
entertainment accounts can escalate to more serious financial crimes.

“Individuals in Australia have had their personal data stolen for the sake
of individual greed,” he said.

“These types of offences can often be a precursor to more insidious forms
of data theft and manipulation, which can have greater consequences for the
victims involved.”

It comes as a separate Sydney man was arrested this week for his alleged
role in a syndicate that was allegedly involved in the illegally porting of
mobile phone numbers of unsuspecting Australians.

The practice is used to steal people’s mobile phone numbers, move them to a
different carrier and use the stolen number to gain access to the victim’s
other personal information including bank accounts.


Casual password sharing has been going on for years but service providers
are starting to take action to understand how common the practice is and
stamp out rampant credential sharing.

But it’s the underground business of selling account details for profit
that is increasingly the target of content providers looking to crackdown.

On underground forums, gaming chatrooms and social media message boards
reddit and 4Chan, people post offers to sell Netflix accounts for as little
as $1.50.

Despite controls typically placed on streaming accounts to limit the number
of users at a time, dedicated fraudsters will look for ways around them,
according to Yves Padrines, the CEO of Synamedia, a company hired by
content providers to sniff out problematic password sharing.

“The whole geo-blocking, concurrency sessions so you can’t watch more than
two streams at a time, the geographic limitation of watching content, all
of these mechanisms will be attacked one way or another,” he told
news.com.au recently.

The company was exhibiting at Mobile World Congress last month and showed
news.com.au a visual example of how it detected one set of login
credentials being used at more than 20 residential locations spread across
a broad geographic location. Needless to say, the account was flagged.

In 2016, cyber security firm Symantec published research about e-mail
phishing scams designed to steal Netflix login details so an attacker could
piggyback on a user’s subscription without their knowledge.

In December 2017, prominent cyber security analyst Brian Krebs wrote that
business was booming for online criminals who use botnets (collections of
hacked PCs) powered by malware to sniff out people’s passwords.

“It has never been easier for a botmaster to earn a handsome living based
solely on the sale of stolen usernames and passwords alone,” he wrote,
referring to a whole range of private and entertainment sites.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190318/b502902f/attachment.html>

More information about the BreachExchange mailing list