How Cybercriminals Profit from Streaming Account Theft

In recent weeks we’ve covered how criminals use bots to steal accounts across the web. Credential stuffing tools make this easy and quick to do. If you missed it, watch a live demo of the process in this webinar.

In this post we’ll look in more detail at what happens next. How do criminals monetize stolen accounts?

To answer this, we’ll use the example of streaming services – one of the quickest and easiest commodities for crooks to shift and make a quick profit.

Recap: How Criminals Steal Streaming Accounts

Here’s a quick rundown of the credential stuffing bot kill chain, as per the BLADE Framework:

1. Resource Development: The attacker acquires stolen credentials from other leaks, proxies to disguise their attacks, and tools like OpenBullet configured to attack their intended target.
2. Reconnaissance: The attacker performs technical reconnaissance on the target service to learn the defenses they use and how to get past them.
3. Defense Bypass: Most credential stuffing tools include modules to automatically solve CAPTCHA challenges, plug in proxy lists, rotate between user agents and even bypass MFA.
4. Attack Execution: Bots enter thousands of stolen credential pairs into the target login page automatically, and data like subscription type and billing information exfiltrated from accounts.
5. Actions on the Objective: The adversary releases or sells validated credentials on the dark or open web, usually at significantly reduced prices.
6. Post-attack: The attacker brokers stolen information, such as PII (personally identifiable information) or payment details, either manually or via automated listings on illicit marketplaces.

For this post, let’s drill down to stage five, “Actions on the Objective”. This is where attackers make the most money.

The criminal has executed their credential stuffing attack and now has a stockpile of validated accounts.

Where Do Criminals List Streaming Accounts for Sale?

Criminals list stolen streaming accounts for sale on marketplaces and forums. Some sites are dedicated to selling streaming accounts, while others sell all kinds of illegal assets.

While some sites are hidden on the dark web, or are invitation only, others are openly accessible on the clear web. Netacea also tracks Telegram groups and other harder to trace sources that list streaming accounts for sale. In all, the Netacea Threat Intel Center tracks over 2,000 sites.

How Many Stolen Accounts are For Sale?

We analyzed data from June 2024 and counted over individual 340,000 streaming accounts for sale across 1,540 listings. We also uncovered over 700 listings offering an unlimited number of these accounts for sale. This is only the bare minimum that could be out there assuming there are more sources we don’t yet track. Remember, this is only examining accounts for streaming services.

How can criminals offer “unlimited” stolen accounts? Either they are exploiting free trials and signup bonuses using fake account creation bots, or they have absolute confidence in their ability to steal as many accounts as they will ever sell.

How Much Do Stolen Accounts Sell For?

Each seller can arbitrarily decide on the value stolen accounts. With miniscule overheads to worry about, and to attract buyers, criminals significantly undercut the streaming services they steal from. We found that stolen accounts sell at an average 27.5% of their legitimate retail price.

The price of each account tends to depend on several factors. Every time a credential stuffing tool validates an account, it also scrapes information about the account. This includes whether the account incorporates extras like live events, HD and 4K resolutions etc., plus billing information such as payment methods and renewal dates.

With this information the attacker sets their price for each account. For example, the cost increases the longer an account has until it expires (one month of access is cheaper than 12 months). Accounts set to auto-renew typically cost more as well.

Some criminals even sell accounts with guarantees of access for a certain period for a slightly higher asking price. Again, this is evidence of the certainty they have in being able to easily replace stolen accounts. They might offer to do this if the original owner or service lock the unauthorized user out.

It’s hard to know for sure how much money a cybercriminal can make selling streaming accounts, but their operational overheads are very low. Criminals automate much of the process and resources are cheap or free. The don’t need any physical storage or shipping as the assets are entirely digital. They don’t even need much training to do the “job” as other criminals make the tools to be user-friendly, so the barrier to entry is low.

The market is competitive though, with so many listings posted each month to choose from. Reputation is important to sellers and many boast positive ratings from their customers in the thousands.

What Are the Risks If You Buy Stolen Streaming Accounts?

It should go without saying that you should never buy stolen streaming accounts.

Firstly, it’s illegal and unethical. Criminals use the proceeds to fund other forms of fraud. It also hurts both the streaming services that you are complicit in stealing from as well as consumers (e.g. the public).

You also can’t trust that you’re getting what you paid for – These are criminals you’re dealing with, and you have no recourse against them if they take your money and don’t deliver what was promised. The logins may not work, or you could lose access at any time. You will also get no support from the service itself if you require any assistance.

How Can Streaming Businesses Prevent Account Theft?

Credential stuffing is only possible because customers reuse their passwords across different services, going against security best practice. But this doesn’t mean businesses are powerless to stop credential stuffing.

Going back to the BLADE Framework and the credential stuffing bot kill chain, we can prevent accounts being stolen by identifying and putting defenses in place at each stage of the attack.

Businesses commonly use CAPTCHA to keep bots out of websites, but they are far from effective in isolation, with bots capable of solving them very quickly using AI. CAPTCHA is also a UX headache, especially on devices like smart TVs. With many choices and competing streaming services readily available, user experience and removing friction for customers is vital for such businesses.

MFA (multifactor authentication) is an extra layer of security, adding more hoops for bots to jump through, but it’s not a silver bullet solution. It adds extra friction most streaming customers wouldn’t tolerate at every login. MFA is also only effective when made mandatory across every account.

Stop Account Takeover with Bot Protection

Bot management tools are specifically designed to detect and block automated attacks like credential stuffing. Modern bot protection solutions monitor web traffic across every device, using machine learning to examine the intent of each visit. This way, automated logins coming from the same source are quickly caught out, even when the source is obfuscated by rotating proxies and user agents.

Netacea goes one step further by investigating every single request at the server level. This means all devices, from set top boxes to games consoles, are protected equally, and even calls to the login API are investigated.

Get more insights on streaming account theft and how to stop it in our report How Bots Attack Streaming Services.