With a surge in home use of video and music streaming services such as Amazon Prime Video, Apple Music, Netflix and Spotify thanks to social distancing and self-isolation measures taken during the Covid-19 coronavirus crisis – as well as the scheduled launch of Disney+ in the UK on 24 March – Proofpoint has warned that cyber criminals are increasingly targeting and hijacking user accounts.
Proofpoint threat researchers reported that cyber criminals have found a way to steal valid streaming credentials and are now selling them online for discounted prices, with the victims almost always completely unaware that they are “sharing” their accounts with malicious actors and unauthorised users.
“Streaming services have skyrocketed in popularity and demand, which makes these consumer accounts increasingly attractive to attackers,” said Proofpoint international cyber security strategist, Adenike Cosgrove. “As people around the world are being asked to remain in their homes due to the coronavirus pandemic, many are turning to these streaming services for entertainment. Attackers will likely follow this pattern and increase their theft and selling of account credentials. We recommend that consumers take a few simple steps to protect their accounts and identify and remove any unauthorised users.”
Proofpoint has identified three ways that attackers can use to steal valid streaming service credentials: via malware, using keyloggers and information stealers unwittingly downloaded to user machines to; via credential phishing attacks, generally via an email that redirects to a fake phishing website used to steal login and credit card information; and finally, via previously stolen credentials combined with password reuse, also known as credential stuffing, where attackers try combinations of usernames and passwords stolen from elsewhere and try to log into streaming services with them.
“Attackers have recognised there’s a huge demand for access to streaming content without having to pay full price,” said the firm’s researchers in a disclosure blog. “At this point there is a very mature, operationalised market for stolen streaming credentials.
“When attackers get your streaming credentials, they sell them to others who will use them to log on and piggyback off of your streaming services, likely without you even knowing it. It’s worth noting that this is a relatively sophisticated online store process. There are multiple options for sale, the seller offers a warranty and even contact information in case of any problems.”
Stolen user accounts are usually sold for a fraction of the price of a legitimate subscription, and the sellers will generally emphasise that the buyers cannot change usernames or passwords as this will void their warranty, and alert the victim that they have been hijacked.
How to protect yourself
Besides paying attention to basic cyber security hygiene – for example, keeping systems and browsers up to date, never clicking links in emails or attachments to visit a streaming site, and using strong, unique passwords for each service, ideally together with a password manager – there are a number of steps users can take to protect themselves.
Most of the major streaming services on the market will contain options in their settings to manage devices connected to the account, and it’s worth checking if you have any unauthorised or unrecognised devices using yours. You should also be able to view previous activity and log-out all devise on the account, although before doing this it is vital to change your password.
If available, it’s also worth activating options to notify you every time a new device connects to your account, which will allow you to verify that every device on the account is recognised.