The Black Market for Accounts

 

In this briefing, we will take a look at the black market for accounts for services like Disney+, Netflix and AWS.



 

The Basics

 

Black markets exist for just about anything, so the existence of black markets for user accounts isn’t all that surprising. While such accounts have been traded since the early days of the internet, the recent proliferation of cryptocurrencies has vastly expanded the market. While it simply wasn’t worth the effort and risk to perform a financial transaction for a $10 purchase in 2010, the process can largely be automated in a secure fashion today.



 

Types of Accounts for Sale

 

Black market user accounts broadly fall into three categories.

 
  1. Compromised accounts that lock the owner out

In these cases, accounts were taken over and the passwords and/or recovery email addresses were changed. The attacker takes over whatever is linked to the account. This can include purchased products (such as games or movies) and payment information. The main risk is that the owner will realize that the account is hacked and attempt to recover it through customer support. 

 
  1. Compromised accounts that do not lock the owner out

This approach is somewhat popular with subscription services like Netflix. By piggybacking on an existing account, the purchaser gets to use the service for free. The main risk is that the owner realizes a second user is on the account and changes his or her password.

 
  1. Accounts purchased with stolen credit cards

This segment is often overlooked but extremely common. Hacked credit card details are relatively common but monetizing them can be tricky. If an attacker attempts to - for example - buy cryptocurrencies with credit cards, both the issuing bank and the cryptocurrency exchange are likely to flag the transaction. Instead, low-value and low-risk items such as games or annual streaming subscriptions are purchased and then re-sold. The main risk is that the owner of the credit card initializes a chargeback which will, in turn, disable the purchased contents.



 

The Price of Accounts

 

Prices can fluctuate widely, from a few cents to thousands of dollars, depending on what the account contains. Notably, however, accounts can be surprisingly expensive. For example, Disney+ accounts often retail for $11 on the black market while a monthly subscription is only $7. The buyer gambles that the account will last for more than 1.5 months before being suspended.


Some Examples
 

  1. The Game Library

An attacker either hijacks an account to a popular game service like GOG, Steam or Epic or purchases titles on such stores with stolen credit cards. The accounts are then sold to a purchaser at a price that is less than the price of the games.

 
  1. The Cloud Manager

An attacker takes over the account of a user of a cloud computing service like AWS, GCE or Azure. Since such accounts commonly have credit cards linked to them, a purchaser can consume resources on the victim’s dime. In extreme cases - for example with corporate accounts that have high-limit credit cards linked to them but are badly monitored - hundreds of thousands of dollars worth of resources can be consumed in just a few months.

Commonly, attackers would use these resources to mine cryptocurrencies. Even if the customer reports the fraud, the monetary gain will already have been achieved.

 
  1. The Deactivated Streaming Service

A common recent scam is to sell accounts for streaming services like Netflix that have been disabled by their owners. While this seems like a bad investment at first, such accounts can actually be more valuable than active ones. Streaming providers want to make it easy for users to sign back up and thus often store payment information for months. At the same time, the user believes the account to be idle and will not monitor its activities.

Buyers simply change the account’s password and email address and then reactivate the account using the owner’s payment details.



 

Summary

 

The black market for accounts is vast and prices can range from cents to thousands of dollars. As service providers continue to innovate, criminals continue to figure out more and more novel ways to monetize account details.

Make sure to use secure passwords, avoid reusing passwords and monitor all transactions on your accounts to prevent such attacks affecting you.