An 18-year-old Wisconsin man has been charged with a credential stuffing campaign against users of the popular US betting site DraftKings, in which he and others allegedly stole an estimated $600,000.
Joseph Garrison of Madison, Wisconsin, was charged yesterday with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, unauthorized access to a protected computer, wire fraud conspiracy, wire fraud and aggravated identity theft. The charges carry a combined maximum sentence of 57 years.
Garrison is accused of launching the attack on DraftKings customers on November 18 last year.
Read more about credential stuffing: The North Face Warns of Major Credential Stuffing Campaign.
Using classic credential stuffing techniques, Garrison allegedly used stolen lists of usernames and password combos to try and simultaneously access accounts across the web that victims may have used the same logins for.
In this way he was able to access 60,000 DraftKings user accounts. In some cases, he was able to add a new payment method to an account, deposit $5 to verify that payment method and then withdraw all funds.
Using this MO, Garrison and his co-conspirators are said to have stolen around $600,000 from 1600 victim accounts, according to the US Attorney’s Office for the Southern District of New York. As reported by Infosecurity at the time, it was initially believed that just $300,000 was stolen from customer accounts.
Garrison’s home was searched by law enforcers in February, during which time they found credential stuffing software including 700 “config” files for dozens of targeted websites, as well as files containing 40 million login combos.
His smartphone allegedly also contained conversations with co-conspirators about how to hack the DraftKings accounts and extract funds.
In one conversation, he is alleged to have said: “Fraud is fun . . . im addicted to see money in my account.”
Editorial image credit: T. Schneider / Shutterstock.com