Young, arrogant, and disinhibited online (allegedly).
Wisconsin man charged with stealing DraftKings credentials.
Joseph Garrison, an 18 year old from Wisconsin, was charged yesterday for hacking into approximately 60,000 DraftKings sports betting accounts in November of 2022. The complaint filed by the FBI explained that Mr. Garrison was able to purchase credentials from a third-party site and sell around 1,600 of the hacked accounts causing about $600,000 to be withdrawn from victims’ accounts.
Whodunnit becomes howdunnit.
BleepingComputer explains, “Garrison and his co-conspirators devised a method allowing buyers of the stolen accounts to withdraw all funds, instructing them to add a new payment method to the hacked accounts, deposit a nominal sum of $5 through the newly added payment method to verify its validity, and subsequently withdraw all existing funds from the victims' accounts to a separate financial account under the attackers' control.” Mr. Garrison is also accused of running a dark web trafficking site that sells hacked accounts. The complaint alleges, “On the Garrison Phone, law enforcement located an undated picture showing that Goat Shop had sold 225,247 products for total sales revenue of $2,135,150.09.”
A (very) young adult allegedly gone (very) astray.
Ani Chaudhuri, CEO of Dasera, wrote with reflections on the alleged hacker's boastfulness and disregard for consequences. "In the face of this most recent cyberattack on DraftKings, we feel the pain and shock reverberating across the industry. It's a stark reminder of the profound threat that cybercrime poses to our online businesses and our consumers, undermining trust and causing tangible harm," Chaudhuri said, before turning to some reflections on the human dimension of cybercrime. "The alleged hacker's flagrant disregard for the consequences of his actions underlines a growing issue - cybersecurity is not just about technology; it's about people. The threat landscape is constantly evolving, and it's not just a matter of securing networks and systems, but also about instilling an understanding of cyber ethics and responsibility, especially among younger demographics."
Credential stuffing has become and is likely to remain a problem. "The advent of credential stuffing, the tactic used in this breach, reveals a hard truth: we are only as strong as our weakest link. Reusing passwords across platforms can have cascading effects that go beyond a single compromised account. It emphasizes the urgent need for robust, multi-layered security strategies that include not just advanced technical defenses, but also user education about safe online behavior," Chaudhuri wrote.
Chaudhuri closed with some advice on coping with attacks of this kind:
"Companies must prioritize deploying dynamic security measures that can adjust and react to emerging threats. Utilizing advanced analytics, AI, and machine learning technologies can help detect and prevent anomalous activities early. Additionally, stronger authentication methods such as multi-factor authentication can significantly reduce the risk of unauthorized access, even if login credentials are compromised.
"It's also critical that we, as an industry, share our experiences and learn from these incidents. Transparency in the face of a breach isn't an admission of defeat; it's a commitment to improvement. By sharing knowledge and best practices, we can collectively strengthen our defenses and continue to instill trust in our digital ecosystem.
"It's encouraging to see DraftKings acting swiftly to restore stolen funds and reaffirming their commitment to security. Cybersecurity is not a destination but a journey, and the continued dedication to safety, despite such setbacks, is an essential part of navigating this path successfully. This event underscores that cybersecurity is not a luxury but a necessity in today's digital world."