If you ever log into your Netflix profile and wonder why it keeps suggesting you watch shows you've never heard of, something fishy might be going on.
A Sydney man has been arrested after allegedly selling stolen subscription details for services including Netflix and music streaming service Spotify, to the tune of about A$300,000 ($309,373) in profit.
The Australian Federal Police were alerted to the 21-year-old's alleged activities via a website WickedGen.com by the FBI in May last year. The website has since been taken down.
The account generator operated for about two years, selling details stolen from unknown victims in Australia and abroad for popular online services like Spotify and Netflix.
Last week news.com.au reported on the thriving underbelly of the internet where account login details and stolen passwords to popular online services are advertised for sale at a fraction of the official cost.
The Sydney man's arrest is the latest example of how online fraudsters are making serious money by pilfering passwords and login details from unsuspecting users.
Investigators allege the account details were obtained through "credential stuffing", in which a list of previously-stolen or leaked usernames, email addresses and corresponding passwords are re-used and sold for unauthorised access.
Before the website was shut down, it claimed it had more than 120,000 users and almost one million sets of account details.
"Police will allege the administrator of WickedGen made an estimated A$300,000 selling the stolen account subscriptions through this website, and other similar sites identified through the course of investigations," police said in a statement this morning.
On Tuesday detectives seized electronic material and cryptocurrencies during a raid on a home in Dee Why, on Sydney's northern beaches.
The 21-year-old man was charged with multiple cybercrime offences and the alleged use of false identities.
It comes as a separate Sydney man was arrested this week for his alleged role in a syndicate that was allegedly involved in the illegally porting of mobile phone numbers of unsuspecting Australians.
The practice is used to steal people's mobile phone numbers, move them to a different carrier and use the stolen number to gain access to the victim's other personal information including bank accounts.
The crackdown is coming
Casual password sharing has been going on for years but service providers are starting to take action to understand how common the practice is and stamp out rampant credential sharing.
But it's the underground business of selling account details for profit that is increasingly the target of content providers looking to crackdown.
On underground forums, gaming chatrooms and social media message boards reddit and 4Chan, people post offers to sell Netflix accounts for as little as A$1.50.
Despite controls typically placed on streaming accounts to limit the number of users at a time, dedicated fraudsters will look for ways around them, according to Yves Padrines, the CEO of Synamedia, a company hired by content providers to sniff out problematic password sharing.
"The whole geo-blocking, concurrency sessions so you can't watch more than two streams at a time, the geographic limitation of watching content, all of these mechanisms will be attacked one way or another," he told news.com.au recently.
The company was exhibiting at Mobile World Congress last month and showed news.com.au a visual example of how it detected one set of login credentials being used at more than 20 residential locations spread across a broad geographic location. Needless to say, the account was flagged.
In 2016, cyber security firm Symantec published research about e-mail phishing scams designed to steal Netflix login details so an attacker could piggyback on a user's subscription without their knowledge.
In December 2017, prominent cyber security analyst Brian Krebs wrote that business was booming for online criminals who use botnets (collections of hacked PCs) powered by malware to sniff out people's passwords.
"It has never been easier for a botmaster to earn a handsome living based solely on the sale of stolen usernames and passwords alone," he wrote, referring to a whole range of private and entertainment sites.
- With AP