Cocaine & Credentials

I recently had the pleasure to watch a talk at BSides Leeds by Darren Martyn. He’s a security researcher who really understands the criminal ecosystem of stolen credentials. The talk focussed on ‘scum lords’, the term he chooses for those that collect and trade stolen credentials. It was a true one hour, one stop explainer on how to do crimes.

Darren Martyn, BSides Leeds 2020

The talk went through the various methods that cyber criminals would use to actively seek new websites. He showed how ‘children’ test websites extensively for SQLi vulnerabilities and then extract a copy of their database. For a room full of seasoned pentesters, this was nothing new… but there was one thing blindingly apparent throughout the slightly humorous talk. All of the tools used and shown were designed for ease of use. Darren mentioned that the tools also had YouTube tutorial videos created to help teenagers hack their competition on popular games such as fortnight or to raid Steam accounts and transfer digital assets. He was astonished by the ease of use and trivial ways in which you could commit crime.

Building a Criminal Empire

The people that steal credentials rely on other criminal factions and services to function as well. There is a clearly documented supply chain! He found shady businesses selling access to thousands of compromised home internet connections (150,00 in the U.K.) for checking credentials en masse. Then almost as a shiny, socially acceptable shopfront for all of this crime and misery he explained about ‘Account Stores’. Places where the almost law abiding citizens can buy stolen credentials for thousands of online services like Amazon, Netflix and premium VPNs.

Throughout the talk the striking resemblance to other criminal networks got me thinking. This whole criminal ecosystem is fuelled by people that buy the end product (credentials) the whole path of misery and destruction lays in its wake but it’s out of sight and a million miles away from the image that a glossy shop front wants its customers to see. This was the cocaine of the cyber crime world.

Supply and Demand

If the comparison isn’t so obvious, let’s look at the supply chains. Cocaine production devastates foreign countries, the abuse of farmers – normally local staple crop producing farmers forced into production roles by the economy or by demands. The destruction of forests as they cook up chemicals under plastic sheeting. Washing their waste downstream throughout the process.

The misery doesn’t stop there though, from the source, the drugs move through communities, cities, organisations. All being rocked by further violence and crime. People get drawn in as mules and traffickers. It filters down to a domestic setting where drug dealers and police further battle it out until the casual user, probably unaware of the drugs past consumes the end product. It’s supply and demand in the most ruthless display of capitalism.

With credentials, the victims are normally innocent websites and their customers. Just there on the internet, doing what they do. The automated tools ran by these ‘scum lords’ dish out attacks and exploit local services. These actors see the internet as drug lords see a thriving town and are solely focussing on extracting a resource they can chuck through an ecosystem and make money. All completely disregarding any concerns in favour of their own goals.

Of course, like cocaine at source, the products aren’t nearly as profitable as they will be. You have the task of connecting the supply to the demand. Converting thousands of pilfered passwords into spendable paper money.

Here is where we see the network of password dump sites, hack tools designed for ease, compromised botnets for hire and account sites and customers all come together.

There is no harm, everyone does it!

It’s almost become socially acceptable to share passwords for accounts:

Maybe, although I feel this is an assumption, maybe the way we think of accounts and sharing is to blame for the boom in people just buying access to accounts they desire. Not a student? just hop on and buy an email address! Want cheap Netflix? just get someone’s account credentials. Every one is doing it – what harm does it cause?!

What we do know is that prosecutions for such frauds, ‘bulk crime’ as Darren calls it are almost non-existent. There is a complete lack of action from policing bodies in the UK, resulting in criminals acting with impunity.

A Global War On Credentials?

The war against drugs seen over the past few decades has been ineffective. thousands have died in the collateral fire between gangs, users and the police. A backdrop of innocent bystanders all left worse off. I don’t think it’s that dramatic in the credential world but we have seen deaths caused from credential based attacks in the form of suicides. Businesses that employ thousands of people closing down. Despite our best efforts we don’t seem to be solving the growing issue and it’s time to readdress it. The levels of online crime continue to rise, even though billions are being spent.

Success stories detailing a reduction in drug use shine though in countries like Portugal. They now treat drug users as victims in the process, offering them help, support and guidance in living a better live away from their addictions. It’s in this area I think our information security industry should try harder to accommodate the victims and look at the bigger picture. The people that simply do not see how their lapse password management and societies general lack of respect for all things legal is combining into a multi-billion pound global industry that is destroying lives.

Maybe cyber security needs the far out approach that is not always so obvious on first glance. Have a think about that weak, shared password you haven’t changed in 8 years next time you log in. You could be playing your part in supporting organised crime.