Research

The Black Market for Accounts

Written by Reflare Research Team | Sep 13, 2022 5:13:00 PM

While black markets have existed since the early days of the internet, recent technological changes have made them a much more lucrative and popular option than before. The value of credentials for services like Disney+, Netflix and AWS will continue trending upward as long as there’s a way to monetise them.

First Published 3rd December 2019  |  Latest Refresh 13th September 2022

"Let it go, LET IT GOOOO!!"

4 min read  |  Reflare Research Team

In this briefing, we will look at the black market for accounts for services like Disney+, Netflix and AWS.

The Basics

Black markets exist for just about anything, so the existence of black markets for user accounts isn’t all that surprising. While such accounts have been traded since the early days of the internet, the recent proliferation of cryptocurrencies has vastly expanded the market. While it simply wasn’t worth the effort and risk to perform a financial transaction for a $10 purchase in 2010, the process can largely be automated securely today.

Types of Accounts for Sale

Black market user accounts broadly fall into three categories.

1. Compromised accounts that lock the owner out

In these cases, accounts were taken over, and the passwords and/or recovery email addresses were changed. The attacker takes over whatever is linked to the account. This can include purchased products (such as games or movies) and payment information. The main risk is that the owner will realise that the account has been hacked and attempt to recover it through customer support.

2. Compromised accounts that do not lock the owner out

This approach is somewhat popular with subscription services like Netflix. By piggybacking on an existing account, the purchaser gets to use the service for free. The main risk is that the owner realises a second user is on the account and changes their password.

3. Accounts purchased with stolen credit cards

This segment is often overlooked but extremely common. Hacked credit card details are relatively common, but monetising them can be tricky. If an attacker attempts to - for example - buy cryptocurrencies with credit cards, both the issuing bank and the cryptocurrency exchange are likely to flag the transaction. Instead, low-value and low-risk items such as games or annual streaming subscriptions are purchased and then re-sold. The main risk is that the owner of the credit card initialises a chargeback which will, in turn, disable the purchased contents.

The Price of Accounts

Prices can fluctuate widely, from a few cents to thousands of dollars, depending on what the account contains. Notably, however, accounts can be surprisingly expensive. For example, Disney+ accounts often retail for $11 on the black market, while a monthly subscription is only $7. The buyer gambles that the account will last greater than 1.5 months before being suspended.

Some Examples;

The Game Library

An attacker either hijacks an account to a popular game service like GOG, Steam or Epic or purchases titles on such stores with stolen credit cards. The accounts are then sold to a purchaser at a price that is less than the price of the games.

The Cloud Manager

An attacker takes over a user's account of a cloud computing service like AWS, GCE or Azure. Since such accounts commonly have linked credit cards, a purchaser can consume resources on the victim’s dime. In extreme cases - for example, with corporate accounts that have high-limit credit cards linked to them but are poorly monitored - hundreds of thousands of dollars worth of resources can be consumed in just a few months.

Commonly, attackers would use these resources to mine cryptocurrencies. Even if the customer reports the fraud, the monetary gain will already have been achieved.

The Deactivated Streaming Service

A recent common scam is to sell accounts for streaming services like Netflix that have been disabled by their owners. While this seems like a bad investment at first, such accounts can actually be more valuable than active ones. Streaming providers want to make it easy for users to sign back up and thus often store payment information for months. At the same time, the user believes the account to be idle and will not monitor its activities.

Buyers simply change the account’s password and email address and then reactivate the account using the owner’s payment details.

A change in methodology

When this article was first written in 2019, the majority of streaming service providers still turned a blind eye toward account sharing and account takeover. The market was not yet saturated, and any loss of revenue was secondary to the primary goal of attracting more paying customers. In 2022 however, these basic parameters have changed.

The market is now saturated with new players entering the video streaming and game library space. Subsequently, and for the first time, we are starting to see companies posting shrinking subscriber figures. This now puts revenue generation rather than subscriber count growth at the forefront of business interests. As such, many streaming services - most notably Netflix - have started cracking down hard on shared accounts. Technology to detect such accounts, which is often based on deep learning systems, has also significantly evolved during the last three years. In effect, this has made Netflix so confident in their ability to detect a shared account that they are willing to offer the ability to share for an added cost through their "Add a Home" feature.

Incidentally, this has also tanked the black market cost of stolen accounts to such services. 

Summary

The black market for accounts is vast, and prices can range from cents to thousands of dollars. As service providers continue to innovate, criminals continue to figure out more and more novel ways to monetise account details.

Make sure to use secure passwords, avoid reusing passwords and monitor all transactions on your accounts to prevent such attacks from affecting you. Additionally, you can stay abreast with the latest misadventures of companies whose customers insist on sharing their credentials by subscribing to our research newsletter.