Credential Stuffing Attack Cost DraftKings Customers $600,000

Monday, 22 May 2023
draftkings.jpg

18-year-old Joseph Garrison bragged to his friends that "fraud is fun". However, he wasn't laughing when he appeared before a New York City judge for stealing $600,000 from DraftKings customers' accounts. Garrison has been charged with conspiracy to commit computer intrusions, unauthorised access to a protected computer to further intended fraud, unauthorised access to a protected computer, wire fraud and wire fraud conspiracy, and aggravated identity theft.

The criminal complaint was unsealed this week, and states that Garrison's crime spree started with a credential stuffing attack against DraftKings. Credential stuffing is a type of attack wherein the attacker already has a list of username-password combinations (obtained from a previous data breach), and attempts to use the same combinations on different websites. This relies on users using the same password on multiple sites, along with not having any form of multi-factor authentication enabled on their accounts.

With credentials in hand, Garrison went about automating the process of attempting to log in to DraftKings under each of the 40 million username and password combinations he had acquired from prior breaches. Despite a success rate of only 0.15%, this gave Garrison access to a whopping 60,000 different accounts - each of which had reused passwords along with having no supporting security measures. Of those 60,000 accounts, 1600 of them had funds in their online wallet, which Garrison was able to drain.

The federal agents investigating the case claim to have found records of incriminating conversations between September 14, 2022, and September 16, 2022. "I quit simming," one September 14 message says, referring to SIM swapping, and "I'm back to cracking…im getting sites no1 has had for like ever and [expletive]…i have every captcha bypassed." Two days later, Garrison messaged the same co-conspirators, and stated that "fraud is fun…im addicted to see money in my account…im like obsessed with bypassing [expletive]."

A spokesperson for DraftKings said that "DraftKings provided notice to customers in relevant jurisdictions and restored amounts for a limited number of users who may have had funds improperly withdrawn from their accounts. The safety and security of our customers' personal and payment information is of paramount importance to DraftKings. We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and US Attorney, Southern District of New York, for their prompt and effective action."

Enjoyed this article? Please consider donating!
Donate
* Alpha Safe journalism is funded exclusively by your donations. We care about your online safety, so we will never display ads, as they could serve you malicious content. We also believe journalism should be available for all, and will never hide our articles behind a paywall. As such, your donation would be very much appreciated.

Most Recent

31 July 2023

Hell Pizza Suffers Credential Stuffing Attack

14 July 2023

Wellington City Council Data Breach

8 July 2023

Event Secretary Data Breach

2 July 2023

TSMC Data Breach; Hackers Demand $70m Ransom

27 June 2023

Suncor Energy hit by Giant Cyberattack

21 June 2023

Kiwis Losing $2M Every Month To Cybercriminals

18 June 2023

Eftpos Provider Smartpay Suffers Ransomware Attack

17 June 2023

Colossal Louisiana Driver Licencing Data Breach

14 June 2023

Russian Hackers Breach Ulez Database

9 June 2023

Thousands of Companies' Data Stolen Through MOVEit Flaw