Instead of paying for an existing user’s account information, black-market shoppers can also buy accounts that are newly generated based on stolen credit-card information. These generators dip into existing databases of stolen financial information to buy new accounts.
Having bought up a few Netflix accounts, a black-market window-shopper might go on to peruse offerings of stolen credentials for just about any sort of paid online service. Logins for HBO Go, Spotify, sports-streaming services, and paid pornography sites are available for easy online purchase.
One seller who deals in stolen accounts on a popular marketplace for illegal goods offers pages and pages of online accounts. “I like to think there is no better option for account dumps,” the seller wrote on a page selling stolen Spotify credentials. “From Netflix to Skype codes, I’m your guy.”
This seller’s listings are available only on the dark web, a part of the Internet that’s inaccessible to normal browsers and search engines. It can be viewed only through Tor, a network of servers that anonymizes web requests for privacy and security. In this case, it keeps buyers and sellers from being tracked by law enforcement.
The seller was rated five stars for “stealth,” and four and a half stars for value and quality. A register of recent purchases showed that a buyer nabbed accounts to Netflix, Hulu Plus, and Spotify for $4.99 around midnight Monday.
Of course, there’s no guarantee any of these black-market credentials actually work, says Satnam Narang, the senior response manager for Symantec’s Norton security product. Since these transactions are illegal, there’s not much of a return policy, so criminals could theoretically get away with selling non-working credentials, he said. (On this particular marketplace, that sort of behavior would quickly knock a seller down a few stars on the quality scale.)
An upstanding member of society who pays for access to services like Netflix might not be terribly worried about a hacker halfway across the world selling access to their account. The only visible effect may be a string of confusing movie recommendations, but in the hands of a malicious hacker, access to one online account can be a foothold for large-scale identity fraud.
An intruder could learn personal details about a person from inside a Netflix account—family members’ names, for example, or a billing zip code—that he could then use to trick the victim into giving up more information. Just this past weekend, a hacker used this tactic, known as social engineering, to steal personal information of thousands of employees from a Department of Justice database.
If a Netflix customer with a compromised account uses the same information for multiple online accounts, then the damage could spread. The intruder might try logging into the customer’s bank account, for example, with the same username and password.