How 12-year-olds hack thousands of accounts a day

During the COVID-19 era many teens were locked inside of their homes and addicted to video games started downloading cheats and buying accounts, intrigued, I did infosec research and studied what these teenagers were really up to, some even going as far as committing cybercrime and numerous felonies!

Sure you’ve heard of those big hacks and ransomware attacks, but there’s another large community of hackers that are primarily focused on consumer accounts. Has your Spotify or Instagram account ever been hacked out of the blue? Well, embrace yourself for how crazy the context behind your hacked account really is, Let’s get into it!

There are numerous ways of comprising accounts (we’ll be using the term “cracking”) from as sophisticated as breaching a database to less sophisticated such as using a brute-forcing wordlist. The word list is not your typical word list like SecLists but is a collection of compromised databases that are put together and are known as combo lists. For example, let’s say you wanted to crack Spotify accounts you would need three things:

1. Proxies (these mask your IP and circumvent rate limiting and bans)
2. Streaming Combolists (collection of leaked streaming usernames/emails and passwords to test against Spotify’s login)
3. Checker/Config/AIO (software that tests the leaked credentials on Spotify, or a site in question for a valid “Hit”).

Chapter 1: Proxies

Proxies are light-weight servers that sit make a request on your behalf using their IP (so yours is not banned) and send you the HTML data back so you can parse and manipulate it. These proxies can get pretty advanced with rotating proxies (because proxies will also get banned and your pool will deplete), to bot-net proxies (using compromised botnets as proxies), to simple scraping proxies. A popular one used for fraud and cracking was 911 and Zenum proxies. 911 was taken down and seized by law enforcement, but Zenum remains operational today as they are not for cracking but for legitimate businesses and applications.

In this case the proxy sits in between you and the host destination such as the website you’re trying to access.

Chapter 2: Combolists

Getting these combo lists isn’t tricky either, many forums have dedicated threads for just this, some with millions of users!

These can all be downloaded for free-anyone can do it!

You may be wondering how the combo lists themselves get created-I’ll be publishing a writeup explaining the process of how this is done soon!

These combo lists, in simple terms, are done in numerous ways but the most common way it’s done by script kiddies (younger kids) is by leveraging large files of Google dorks that have a high chance of finding vulnerable parameters such as .PHP?id=12 (for SQL injection) and these are scraped then scanned and dumped. The dumped data from hundreds of databases is then “cleaned”, “checked”, and sold or used in the cracking process. A popular tool for this are known as “dork parsers”, and the most popular one I remember coming across at the time was MagicDork.

85,647 URLs scraped off of Google from a list of 6,148 dorks using HTTP proxies to circumvent Google’s anti-botting and rate-limiting features.

Chapter 3: Checkers

Good Checkers can be difficult to come by and are typically programmed in Python3 and C#. But what about the script kiddies who don’t know how to program? Well, there’s a way you can still brute force and create custom tools without a single line of code-introducing CONFIGS!

Configs are files that have “steps” on how to log in to a site and determine whether the credentials are valid, for example, looking for the “invalid password” or “logged in” keywords in the site’s response.

Credits: COD config — google

As you can see, it’s similar to Scratch’s block coding but for hackers! The green request block makes a web request to the site and can be customized to be a POST, GET, PUT, and more. Furthermore, there’s even a pre-programmed function for bypassing Cloudflare “Bypass CF” and solving captchas! The name of this tool is “SilverBullet” and it is an opensource tool with a license on Github. Moreover, it can be customized to capture data on valid accounts such as name, balance, whether it’s premium, etc these kinds of configs are referred to as “no CAP” and “full CAP” (cap configs being more expensive of course).

Now, if you know anything about software development then you know this isn’t very complex, however, it gets complex when the site has robust anti-botting features in place from Cloudflare to Arkose to Akamai. So, cracking on these sites should be out of the question right? Nope!

These kids are craftier than they seem after talking to many on forums and Discord I discovered that some of them weed out the APIs that don’t have these protections, for example, using the Mobile APP’s login API instead of the website’s API that has more traffic on it. Some even went as far as debugging Netflix’s TV API to figure out how to use it. This is genius because when logging into Netflix or any app on your smartTV there is NO captcha or robust anti-botting features 9/10 times. Other times, they will abuse misconfiguration on developers using the captchas, for example, Hcaptcha will accept any valid token (from a solved captcha), however, if the developer does not pass in their siteKey then any Hcaptcha can be solved and that token redeemed, thus, an “easier” captcha can be solved and that token can be used. Other times, bot farms can be used to solve captchas where in 3rd-world countries rooms filled with workers day and night solve captchas and forward the token to the application (attacker), some sites that offer this service are 2Captcha and Capmonster (also use Artificial Intelligence). Lastly, vulnerabilities in the Catpcha systems themselves can be abused, for example, google has a race conditions vulnerability that can be leveraged discovered by James Kettle that still exists today as Google said it is not feasible to patch this. (More can be read here).

These private APIs were referred to as “ultra high quality” or “UHQ” APIs and some were sold from ranges as high as $500–$5,000. In some cases, I discovered a small group of 18–20-year-olds developing one for PayPal back in 2020 selling this software for $2,000 a month causing unfathomable damage to consumers, PayPal, and individuals. Sadly, there is little a company can do to combat this. With the rate of technology, cybersecurity is often overlooked or underfunded leading to a cat-and-mouse game between attackers and innocent companies.

This is EXACTLY how Chick-fil-A was breached in 2022 with over 70,000 accounts “cracked” and sold on forums. They utilized the mobile API and figured out anti-botting bypasses causing thousands of dollars in loss to the business through chargebacks — yes, teenagers.

So the first question that should come to your mind is why? Why go through all this trouble, time, and energy for a Netflix or Spotify account? Well, who said they’re just for the ones cracking they’re often resold! A Netflix account can go for as low as $0.1 per account (due to false positives from the checkers) and PayPal as low as $0.50 with a guaranteed payment method linked and a warranty if you’re unable to log in!

These accounts are softened referred to as “logs”

Interestingly enough, every step in cracking accounts is its own marketplace from proxies, checkers, configs, APIs, to even the final product being sold — accounts.

Thankfully, there is a battle against this nationwide cyber fraud. Specifically, the vendors selling these accounts are now being targeted by the FBI and have been fairly successful by taking down the largest vendors such as pingfo. Moreover, many marketplaces on atshop.io & sellix.io have been taken down as well. Atshop.io & sellix.io are platforms that allow you to sell items digitally (such as files and videos), unfortunately, it’s also used to resell accounts as well.

If you want to connect with me feel free to reach out to me on Twitter

🐦Twitter: https://x.com/ali_muhammadsec