Small streams make big rivers. This proverb could be the motto of these Internet users who have become specialists in theft of loyalty accounts. As told earlier this week by The Telegramthe resale of euros accumulated on loyalty cards is a business that works on the dark markets of the net.
Thus, the regional daily reports the example of a young Breton who bought for only 15 euros the 40 euros credited to the Carrefour loyalty account of a resident of central France. “I downloaded the brand’s application, I logged in with his identifiers and I added his profile to my phone,” explains the fraudster, who then emptied the loyalty account while shopping.
Credential stuffing
A fraud that is not limited to this retail brand. Its competitors, but also fast food chains, such as McDonald’s, are victims of this looting of loyalty accounts. The scam relies on the stuffing of identifiers. Using combo-lists, these lists of username-password pairs that have already leaked, attackers are trying to get their hands on access to third-party services.
This modus operandi exploits a very human weakness, the reuse of the same password on different platforms. Once access to loyalty accounts has been obtained by identifying valid username-password pairs, these are sold, often at a knockdown price, in dedicated Discord shops or lounges.
1% success rate
For the authors of the fraud, it is a very lucrative activity. Because even with a low percentage of valid couples, the result can be significant. Evidenced by this case, for example, tried before the Paris court in mid-November. As ZDnet.fr noted, Sébastien M., a thirty-year-old from the Ile-de-France, was prosecuted for having hacked into 10,000 Intermarché loyalty accounts.
According to the investigation, the respondent tested nearly 1.35 million username-password pairs. Admittedly, its success rate was low, around 1%. But, with so many accounts at hand, it was enough for them to house an average of a handful of euros for the potential final loot to be very high for the pirate, then noted one of the magistrates. However, in the absence of the large retailer at trial, the actual damage to Intermarché and its customers is unknown.
According to the investigation, Open Bullet, this application dedicated to web developers, was used on a virtual machine to test ID-password pairs on the fly. Specialized investigators from the Paris police headquarters identified the hacker thanks to one of the IP addresses used. It referred to a virtual machine operated by the company where the suspect in question worked.
Criminal convictions
“I did not try to attack Intermarché”, defended the defendant. Before clumsily admitting to having tried to compromise Canal+ accounts and Spotify accounts, but only, for this last example, to maliciously increase the audience of his streams. His arguments did not convince the magistrates, who sentenced him for computer hacking and receiving a four-month suspended prison sentence and a fine of 2,000 euros – a sentence qualified as a warning.
Contrary to what some loyalty account robbers may assume, this type of delinquency does not therefore pass under the radar of justice. Last March, in a similar case, a young computer science student from Bordeaux was also sentenced to a fine of 1,000 euros for computer hacking and complicity in fraud.
But these cyberattacks singularly complicate the life of companies that set up loyalty accounts. In addition to preventive messages for their customers, they sometimes have to directly pull the rug out from under hackers’ feet by forcing password resets. A key that definitely has its limits, as evidenced by the thoughts of the digital giants who are preparing to abandon the password in favor of new authentication devices.