- The Weekend Byte
- Posts
- $10 Million Dollar Musical Heist
$10 Million Dollar Musical Heist
How one musician used AI to steal millions
The latest TikTok craze, known as the Chase money glitch, is a pure facepalm moment. People are depositing their own checks written out to themselves and then withdrawing the funds. This also goes by another name: bank fraud. Oh, today’s youth…
Today in the cyber world, we’re covering:
The $10 million dollar musical heist
Old-school MFA bypass bots
Hacker OnlyFans?
-Jason
Together with NordPass
Attackers thrive on weak passwords. According to NordPass research, 20% of business passwords were the exact name of the company or a variation of it.
Use my code “weekendbyte” to get a free 3-month trial or 20% off NordPass Business. With NordPass, you create and store strong passwords and get alerts if your data is breached. Check it out here.
AI Spotlight
The $10 Million Musical Heist
I love a good fraud story, and this one is music to my ears, literally. It starts with a musician named Michael Smith, a 52-year-old who used music to “steal” $10 million.
Let’s break it down:
Step 1—The Bots: Streaming platforms give the artist and songwriter a fraction of a cent when someone listens to their song on the platform. When dealing with fractions of a cent, you need a lot of listens. Michael quickly realized he needed an army of listeners. And the best listeners are the ones who think bagpipes are real music have no taste in music.
This meant he needed an army of mindless bots. Thousands of them. For his purposes, a good bot army requires valid email accounts. Thankfully for Michael, shady vendors exist that sell bulk email accounts. Those email accounts allowed Michael to register accounts across various streaming platforms, like Spotify, Apple Music, YouTube Music, and Amazon Music (who uses this, seriously?).
But Michael is a busy man. He couldn’t create all of these accounts himself. He played corporate America and decided to offshore the work to overseas contractors, letting them do the grunt work of signing up on the various streaming platforms.
That sounds expensive, and it is! Fear not, though, for Michael is a smart dude. He signed up for family plans, so it didn’t eat into his margins. Well played, Michael…well played.
But surely, someone would detect fraud if he was just using his credit card. This is where Michael reached supervillain status. He used a financial services company that provides debit cards for corporations. Using fake names corresponding to fake email accounts, he funded those debit cards with $1.3 million to purchase more streaming accounts.
These techniques allowed Michael to amass a bot army of over 10,000 active accounts at the peak!
Step 2—Start Streaming: With 10,000 bots, you can’t just run those from your laptop. It would set off alarms with the streaming companies and probably melt his laptop. To solve this, Michael went to the cloud! He used virtual cloud-hosted systems and a whole lot of browser tabs, each logged into the various streaming platforms, to run his bot army. But they needed directions.
Using macros, which are just code that automates specific tasks, Michael commanded his bots like the conductor of a world-class orchestra. Each bot continuously streamed music that Micahel uploaded to the streaming platforms. That was great for profit, but it also introduced another problem.
Streaming one song a billion times would set off red flags with the streaming platforms. And Michael was running out of songs to keep his music-hungry bot army fed, so he had to get even more creative.
Step 3—AI Killed the Music Star: One year after starting his scheme, Michael enlisted the help of the CEO of an AI music company and a music promoter to…drum roll…use AI to create more music…a lot of music….like hundreds of thousands of songs a lot. The music promoter dubbed it “instant music.”
With his bots fed, Michael had one last problem…
Step 4—Profit: This was a good problem, though. Michael was making stealing a crazy amount of money from the streaming platforms! In 2017, at the early stage of his scheme, Michael emailed himself details on his financial forecast. It looked like this:
52 cloud service accounts, each running 20 bots for a total of 1,040 bot accounts.
Each bot could stream approximately 636 songs daily, with 661,440 daily streams across the bots.
Estimating a half of one cent per stream, Michael believed he could make:
Daily royalties: $3,307
Monthly: $99,216
Annual: $1,207,128
By 2024, Michael was rolling in the deep profits. In an email, he boasted that he had generated over 4 billion streams and $12 million in royalties since 2019 💰️💰️
We know Michael is a problem solver. He’s working to solve his next major problem…reducing his charges so he won’t spend the rest of his life in jail.
Probably should avoid those AI lawyers…
Security Deep Dive
I’m Not Crying, You’re Crying
Cybersecurity is just one of those topics that can make you simultaneously happy and sad. Take the news this week from Brian Krebs, who reported that three men in the UK pled guilty to running an online service, OTP Agency, that helped steal one-time (OTP) passwords.
Happy = more cybercriminals in jail, huzzah!
Sad = wait…there are entire online services that exist to steal one-time passwords? The same one-time passwords we use for MFA? Yup, they’re known as OTP bots. Sad face, indeed.
The men were also hardly men. They ranged in age from age 19 to 22. They’re practically babies!
They sold their service to other cybercriminals and charged between $40 to $500 USD a month. For those cybercriminals, that’s a drop in the bucket compared to what they could make using this and gaining access to their victims’ financial accounts.
WTF is an OTP bot? It’s a malicious program that uses social engineering to trick users into giving up their OTP. It works like this:
A cybercriminal gains valid credentials to a victim’s online account.
The cybercriminal logs into the victim’s account and is prompted for MFA…which they don’t have…but they do have the victim’s phone number.
The OTP bot calls the victim and has an automated message telling them to complete verification and enter the OTP they just received via text or is in their authenticator app.
That OTP is sent back to the attacker, which they enter into the website and complete the login to the victim’s application.
Here’s a demo of one of these OTP bots and what it appears like to the end user.
OTP Bots were the predecessor of a more significant threat. The latest phishing kits combine all of these steps, so attackers can send a phishing email and trick the user into entering their MFA OTP directly into a fake login page.
The best way to stop these? Phishing-resistant MFA! These are technologies like passkeys or hardware tokens. It binds the MFA component to the legitimate website. So there are no one-time passwords or text messages for you to fumble with!
While some reports were recently released that Yubikeys, one of the most popular hardware MFA keys, has a security weakness that could result in cloned keys, just relax. You still need physical access to the key, which reduces the threat of that attack.
As with everything security, there is no one perfect solution, but some options are better than none.
If you only have an option for SMS MFA, it’s better than no MFA.
If you have an option between an app-based OTP and SMS, go with the app-based MFA.
And wherever FIDO MFA is supported (e.g. passkeys or hardware tokens), enable those!
Security News
What Else is Happening?
💸 Bitcoin ATM (BTM) scams are on the rise. The FTC said that there have been $65 million in losses reported in the first half of 2024 alone! And it’s dispropriatinately impacting people over 60. The scam works like any other social engineering attempt, with a call or a message that ultimately tricks the user into sending money to the attacker through a BTM.
📲 Two foreign nationals from Romania and Siberia were indicted for making over 100 calls between 2020 and 2024 with threats of violence and reporting fake crimes in “swatting” attempts. The act of swatting involves calling emergency services and reporting violent crimes in an attempt to have a SWAT team charge the victim’s house. There were so many calls it took up 19 pages of the indictment.
🆘 Attackers are using GitHub comments to drop links to infostealers. GitHub is one of the most popular code repositories out there. One feature is to allow users to make comments on projects, which is often used to ask troubleshooting questions. Per Bleeping Computer’s interview with Nicholas Sherlock, there were over 29K comments made over a 3-day period pushed just one type of infostealer.
🤭 Hackers got more than adult entertainment when they tried targeting OnlyFans accounts. A user on a hacking forum promoted an OnlyFans checker, which verifies the validity and account settings for stolen OnlyFans credentials. Whelp, it turns out it was actually an infostealer. I get so much joy when hackers target each other.
If you enjoyed this, forward it to a fellow cyber nerd.
If you’re that fellow cyber nerd, subscribe here.
See you next week, nerd!
Reply