I recently joined Cequence as a Hacker in Residence and am excited to focus on the world of automated attacks and how BOTs are used for things like account take over and credential stuffing attacks. The research into the attacks and customer stories are incredibly intresting.
When I heard that roughly 10 million accounts were created on Disney+, my newfound interest in BOTs told me that the next thing we would start to hear about was compromised credentials. As well as being able to purchase lists of compromised accounts, and as often is the case, purchase a tool to utilize the service automatically.
The gaming and entertainment industries represent lucrative targets for account takeovers, so much so that a complete black market exists where a user can buy a plugin for any number of tools with the goal of committing fraud or theft on a specific target. No doubt, the Disney+ launch was on many bad actor’s minds as it moved towards launch, but it was a bit surprising how rapidly we saw Disney+ accounts for sale on the web.
Our CQ Prime threat research team maintains a list of locations where a bad actor can locate BOT configurations for various credential attacks. Sure enough, (very) shortly after the Disney+ launch, stolen account lists began appearing. The initial lists were not high quality, just a new and probably less famous BOT director trying to get the first cash for a new exploit list. However, then 7-day trial accounts began to appear followed by three year pre-paid accounts. The records even included the network and device type registered to the account in the event the BOTs need to change behavior for the next phase after Disney’s streaming service puts some mitigations in place.
The easy registration process that Disney + deployed was a double-edged sword. While it resulted in a successful launch, it also provided a terrific target for bad actors designing bots to attack accounts that they know aren’t expired and that possibly have credit cards associated with them.
The bot forums and Tweets are buzzing with information on the accounts that have been taken over. The highest value accounts are those that have tied a credit card to the account that can be used to purchase other services (fraudulently).
Utilizing the highly iterative lists and credential testing, the bot organizations can identify legitimate accounts that are likely to have a credit limit worth exploiting and might not notice a password change. In the event a user is reusing their email, the match means the end user could be locked out of both accounts while the attacker consumes content and products/services across the Walt Disney Family of Companies.
What could Disney have done better?
Multi-factor authentication as an option would have been nice. I know the account needs to be used by non-tech savvy individuals that might be on a ROKU, but it still should have been a consideration. Even if the two-factor authentication was done in their phone app, it would have protected a few of Disney + Customer from successful account takeovers.
BOT Detection/Mitigation, these were known sources and known attack vectors. At Cequence, we battle these ever-morphing attacks hour in and hour out. The BOTS are getting better and better, and we have to make sure we track their every move and watch for their changes to keep up. Cequence and our 4 pillars of detection strategy would have identified the attacks as coming from tools available on the market, bad networks (like bulletproof proxy networks), spilled credentials available through many sources including this data dump, and analysis of the attackers’ behavior. Our methodology has been proven to stop these types of attacks.