Back in November 2016, 26,500 accounts for the UK’s National Lottery got credential-stuffed like they were a bunch of Thanksgiving turkeys.
And last week, 29-year-old Anwar Batson from London, who supplied his criminal buddies with the brute-force, automated password-guessing, Dark Web-delivered tool behind the credential-stuffing attack – a hacking tool called Sentry MBA – was sentenced to up to nine months in jail.
All this, for what? The shrinky-dinky sum of £5 (USD $6.50), that’s what. As The Register reports, that was his agreed-upon cut of whatever ill-gotten goods the thieves managed to pry out of accounts.
On Friday, Crown Prosecutor Suki Dhadda told the court that Batson had downloaded Sentry MBA and joined a chat group discussing the software and swapping the configuration files necessary to use it. Batson, the father of one, “counseled others on how to hack” and “enabled them to successfully use Sentry MBA to hack others’ accounts,” Dhadda said.
At least back in May 2016, Sentry MBA was considered the most popular tool for these kind of attacks, which involve taking sets of breached credentials, combining them with configuration files that are specific to a targeted site or service, and using a hacking tool like Sentry MBA to automatically plug in the credentials to see which ones will get a crook into a live account.
If account holders have reused passcodes across sites/services, there’s much more of a chance that their credentials will get a crook into a targeted site/service. Which is why it is really, truly a bad idea to use the same password on different sites!
Credential dumps are easy to find and buy – they’re as common as dirt on the Dark Web. The configuration files, though, are another thing.
As JUMPSEC managing director Sam Temple has told Infosecurity, the true value is in the config files, which tell the hacking tool how to attack a specific website: for example, config files tell the tool how a website handles login requests, which CAPTCHA is running, and how many requests per proxy should be attempted before the site or service detects a brute-force attempt and locks accounts.
Batson, using the chat handle “Rosegold,” discussed “config-file” this and “how do we use Sentry MBA to hack the National Lottery website” that with others online, including Idris Akinwunmi and Daniel Thompson: two hackers who were jailed in July 2018 for the cyberattack.
During the 2016 attack, Akinwunmi – an Aston University student – transferred just £13 into his account. That’s how much the crooks stole from Dr. Ian Bentley, a National Lottery player: the entire contents of his account.
Police traced one of the IP addresses used in the attack back to Akinwunmi. When police interrogated him, he said that he’d learned how to use Sentry MBA from Rosegold. Chat logs also showed up on his computers when police examined them.
The crooks had agreed that in exchange for sending them Sentry MBA, Batson would get a cut of the loot. Batson’s attorney, Daniel Kersh, had this to say in defense of his client:
They made an arrangement. Mr Batson would send [Akinwunmi] the Sentry MBA and that whatever Mr Akinwunmi did with it, he would get a cut. That in essence was his involvement.
When he was arrested on 10 May 2017, Batson denied having anything to do with the National Lottery hacks. His claim: It was somebody else! He got hacked! He was “the victim of online trolling”! His devices “had been trolled or hacked and other people had access to his laptop”!
His devices, however, sang a different tune. On them, investigators found a copy of the same chat that they’d discovered on Akinwunmi’s machines, as well as evidence that Batson had accessed Dr. Bentley’s account using Sentry MBA.
Nine months for a lousy £5?
Who cares how little the crooks made? Not Camelot, the outfit that runs the lottery. In a statement from CISO David Boda that was read to the court, he said that the company spent £230,000 responding to the attack. The fallout included 250 customers closing their accounts as a result of the bad publicity that followed. Another cost: £40,000 for a staff training event that had to be postponed as the company worked to fend off the hacks.
In passing sentence, Judge Jeffrey Pegden QC said that Batson’s jail time didn’t hinge on how much he made off with. Besides, he’s been forced to pay back that £5 to his victim, Dr. Bentley, on top of £250 for court costs.
No, the jail time has more to do with the fact that you went after an organization that does charity work, the judge said:
In my view, the gravity of your offending does not lie in the loss occasioned by the hacking and by the fraud. That indeed was low. But it does lie in the fact that you targeted a large charitable organization, namely the National Lottery, which gives something like £30m per week to chosen charities.
Batson pleaded guilty to four counts under the Computer Misuse Act 1990, as well as one count of fraud.