They gained access to the social media accounts of some of the biggest names in sports. This included account takeovers of both NFL and NBA players.
Now the U.S. Department of Justice (DOJ) is revealing the attacker identities, detailing their attack methods, and charging them with federal crimes.
NFL and NBA social media takeover attack started with phishing
The accused hackers in this case both live in the United States, and only one of them is old enough to order a beer.
The DOJ filed charges against 21-year-old Trevontae Washington, who lives in Thibodaux, Louisiana. Prosecutors say his sports account takeovers started with a social media phishing attack:
"Washington phished for the athletes credentials, messaging them on platforms like Instagram with embedded links to what appeared to be legitimate social media log-in sites, but which, in fact, were used to steal the athletes' user names and passwords.
Once the athletes entered their credentials, Washington and others locked the athletes out of their accounts and used them to gain access to other accounts. Washington then sold access to the compromised accounts to others for amounts ranging from $500 to $1,000."
And while Washington's business model was charging others for access to the NBA and NFL player accounts, the DOJ says another young hacker was trying to charge players to get their own accounts back.
Ronnie Magrehbi is a 20-year-old in Orlando, Florida, accused of running the following scheme:
"Magrehbi is alleged to have obtained access to accounts belonging to a professional football player, including an Instagram account and personal email account. Magrehbi extorted the player, demanding payment in return for restoring access to the accounts. The player sent funds on at least one occasion, portions of which were transferred to a personal bank account controlled by Magrehbi, but never regained access to his online accounts."
Account takeover attacks: high risk, low reward
Both of these men are facing two charges: wire fraud conspiracy, which can be a maximum sentence of up to 20 years in prison and a $200,000 fine; and computer fraud conspiracy, which has a maximum sentence of five years in prison and up to a $250,000 fine.
To go through all the trouble of hacking some NFL and NBA players' social media accounts, only to sell those accounts for $1,000 or demand ransom from the players, is a low reward-high risk situation when the consequences are prison time and hundreds of thousands of dollars in fines.
It's always tough to get inside the mind of young cybercriminals, however, a recent SecureWorld podcast episode does exactly that. We talked to Cam, a reformed hacker who went to jail when he was just 14 years old.
[LISTEN: Youth and Cybercrime podcast]
For more information on the account takeover attack, you can read the
DOJ press release.