In the modern age, everybody has an online account for something and everything. Are you a gamer? Maybe you have an Epic Games or Steam account. Maybe you’re a shopper? eBay or Amazon may be your go-to websites. Just casually browsing the web? You’re still quite likely to have an email account, perhaps Gmail or even Yahoo Mail.
These online accounts have made our lives more convenient than ever before – purchasing goods online, streaming videos and music, and even ordering food. However, as with everything else, they also have their drawbacks.
As soon as you had created your first email account, you introduced yourself as a target to cyber criminals everywhere. Why? It’s simple – your accounts are worth money. Not all accounts are created equal, however, and they may be targeted for different reasons.
Why are they valuable?
An Epic Games or Steam account may be targeted for their valuable in-game virtual items, or simply the video games that the account owns. Online shopping accounts such as eBay and Amazon can be used to purchase items at the expense of their owner’s credit cards. The most valuable online account you may own is likely your email account.
Most online service providers have a “Forgot Password” option where you can reset your password to their website by clicking on a unique link sent to your email. Even the most unskilled of cyber criminals can hijack your entire online identity if they gain access to your email account.
How do cyber criminals gain access?
Cyber criminals that gain unauthorized access to online accounts of others are commonly referred to by the online community as ‘Crackers.’ Crackers often use a tool that takes a list of usernames and password combinations and checks whether or not those combinations are valid logins to a website. These tools are also referred to as ‘crackers’ or ‘checkers.’
In order to bypass traditional anti-brute forcing methods such as CAPTCHA and IP-banning, these tools often include the use of CAPTCHA solvers, and proxy lists. CAPTCHA solvers are image recognition programs that attempt to decipher the scrambled and distorted sequence of letters and number in an image. Proxy lists allow the tool to make login requests through a set of predefined proxy servers and therefore different IP addresses, bypassing login attempt restrictions.
However, no matter how sophisticated the tool, it is useless if the combo list it uses is low quality and contains few, if any, valid username and password combinations.
How are combo lists made?
There are many ways that combo lists are made, and whichever method is used often results in varying quality of the combo lists.
These first of these methods would be to simply generate a combo list. Lists of commonly used passwords can be found from numerous websites on the internet, and have legitimate uses, such as securing business infrastructure by making sure that nobody is using a common password on an important company account. Usernames, on the other hand, are only slightly hard to get. As usernames are not usually kept secret in online communities, a cyber criminal can easily run a tool called a “scraper” to gather a list of all valid usernames on the website. Randomly generated combo lists are the lowest in quality, and often only contain only a couple valid username and password combinations or even none.
Another way to make a combo list is through use of malware and phishing sites. A cyber criminal may be able to create a website that mimics the legitimate website of a bank, then send out malicious emails to every email address they know in an attempt to convince potential victims to use their real bank usernames and passwords to login to the fake website. Once the victim logs in, their username and password are stores on the cyber criminal’s server for later use.
Keyloggers and Remote Access Trojans are also common tools used by cyber criminals to steal your credentials. By monitoring what keys you press while visiting certain websites, they may be able to capture the usernames and passwords of all your online accounts. Usernames and passwords obtained through these methods are often of high quality and contain many valid logins, making these combo lists very valuable.
The final way to make a combo list would be through the use of a method known as credential stuffing. Credential stuffing is the using combo lists intended for certain websites on others. For example, a cyber criminal may run a relatively inexpensive combo list containing Minecraft accounts against the Gmail website, in an attempt to abuse the fact that most users reuse their passwords across most of their online accounts. This method is very effective and can lead to large-scale account takeovers.
What happens to the accounts?
Depending on the intentions of the cyber criminal, they may do different things with your account. Some cyber criminals are selfish and may hoard large lists of online accounts and continually add to them, using some occasionally for personal reasons. Others may begin selling accounts that they ‘crack’ to people who cannot afford or do not want to purchase a legitimate account for themselves at a higher price.
Different accounts are, of course, worth varying sums of money. For example, a single Fortnite or League of Legends account may run anywhere from a 1 USD to 25+ USD, depending on their ‘quality,’ which is determined by the virtual items owned by the account. Minecraft and Roblox accounts, on the other hand, are relatively worthless and commonly sold in bulk amounts ranging anywhere from 100 to 1000+ accounts at a time for only a few dollars.
Some cyber criminals even capitalize on this market and purchase accounts or combo lists at low prices then resell them for slightly higher prices, acting like Wall Street brokers of the online black market.
Remember, your online presence is worth money, so safeguard it as if it were your bank account or credit card. Common security practices such as using a password manager and avoiding the reuse of passwords thwarts most attackers and are relatively easy to set up.