Table of Contents
Joseph Garrison, a teenager aged 19, pleaded guilty to launching a credential stuffing attack against a fantasy sports and betting website. In this illegal act, Garrison successfully accessed approximately 60,000 user accounts. Using a meticulously crafted scheme with other accomplices, they stole an estimated $600,000 in total. This grand larceny involved adding a new payment method to the victimized accounts, depositing $5 using this new method, and finally withdrawing all funds from the accounts.
The Culprit: Joseph Garrison
A resident of Madison, Wisconsin, Joseph Garrison admitted to his offense and faces up to five years in prison for his crime. Law enforcement officers who thoroughly inspected Garrison's house in February 2023 discovered software typically utilized in credential stuffing attacks. They also found nearly 40 million usernames and passwords that could be used in future attacks. Surprisingly, they also retrieved almost 700 config files intentionally used for these applications.
Evidence Against Garrison
Aside from the detection of software and huge volume of usernames and passwords at his residence, another piece of compelling evidence was found during the investigation. When Garrison's phone was examined, officers discovered several conversations where he discussed hacking the betting website. Additionally, Garrison had also spoken about exploiting the compromised accounts for profit, either through directly stealing funds or by selling information to other cybercriminals.
Garrison pleaded guilty to conspiracy to commit computer intrusion in court. The US Department of Justice announced charges against him on May 18. He responded promptly by surrendering to authorities in New York, New York on the same day.
The legal repercussions for Joseph Garrison's crime are extensive. The accused teenager faces a potential maximum sentence of five years in prison on charges of conspiracy to commit computer intrusion. This is a serious charge relevant to the large-scale credential stuffing attack that he admitted to having orchestrated.
US Department of Justice’s Response
The US Department of Justice reacted swiftly to the situation, announcing criminal charges against Garrison. Upon hearing this, Garrison immediately surrendered to the authorities in New York, cooperating with judicial proceedings. The severity of the charges highlight the high level of cyber-security threat and criminal intrusion into private accounts that Garrison's actions represented. The accused will be sentenced in January, following the due process of law.
The Target: DraftKings
Although the court documents do not explicitly mention the name of the betting website that suffered the attack, it is largely suspected to be DraftKings. Around the time of Garrison's attack in November 2022, DraftKings had announced approximately 68,000 of its user accounts had been compromised, hinting at the correlation. The financial implications and breach of customer trust this attack represented underscores the full extent of Garrison's criminal enterprise.
Explanation of Credential Stuffing Attacks
Credential stuffing attacks are a type of cybercrime that aims to exploit accounts on various platforms by using stolen usernames and passwords. These stolen or compromised login credentials are typically obtained from previous data breaches on unrelated websites. The criminals then attempt to access different websites where potential victims may have used the same login credentials, resulting in unauthorized access.
Case in Point: DraftKings Attack
An excellent example of a credential stuffing attack was the unfortunate incident experienced by DraftKings. In November 2022, it was reported that approximately 68,000 accounts on the DraftKings platform were compromised. In the aftermath of the attack, DraftKings encouraged its customers to ensure that they use unique passwords for each platform and website they frequent, adding that the login details accessed by hackers were likely compromised on different websites and subsequently used to breach DraftKings accounts.
Cybercrime in the News
The story of Joseph Garrison’s credential stuffing attack on a betting website is not an isolated instance of cybercrime. News platforms are consistently filled with reports of various cybercrimes happening globally, involving both individuals and organizations.
Recent Cybercrime Events
Reports are emerging about a Russian USB worm is spreading into Ukraine, indicating the growing influence of cyber-attacks in geo-political warfare. Additionally, a significant number of organizations are taking cybersecurity more seriously. Over 250 organizations have taken part in an electrical grid security exercise aimed at bolstering their cyber infrastructure and strategies against potential attacks.
Corporate Cybercrime Incidents
Companies are not exempt from these cyber incidents. The CEO of ChatGPT-maker OpenAI was fired due to a lack of candor with the company, highlighting the influence and impact of cyber espionage and insider threat. The rise of 'bad bots' is another concerning trend in the digital landscape. These bots, programmed with malicious intent, have accounted for up to 73% of internet traffic, posing a severe risk to data privacy and integrity.