Man bragged ‘fraud is fun’ before allegedly hacking website | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacking | #aihp

Metro

By Priscilla DeGregory

May 18, 2023 | 2:44pm

A Wisconsin man bragged “fraud is fun” before allegedly hacking user accounts on a sports betting website and helping others steal $600,000, Manhattan federal prosecutors charged Thursday.

Joseph Garrison, 18, is accused of swiping the login information of 60,000 accounts in the Nov. 18 cyber attack, and then selling the data, allowing others to steal money from some of the users, the feds alleged.

In total, the Madison man allegedly helped others loot the $600,000 from a total 1,600 users — with at least 30 of those accounts belonging to New Yorkers, prosecutors said.

Before Garrison carried out the major hack, he bragged in messages to one of his co-conspirators on Sept. 16 that “fraud is fun,” adding that he’s “addicted to see [sic] money in my account,” according to the criminal complaint against him.

Authorities got wind of the “credential stuffing attack” scheme after workers of the sports betting site bought stolen credentials and received detailed instructions and screenshots about how to steal money from the user accounts, the feds alleged.

An undercover agent bought login information for two accounts on Jan. 9 for $11 and was also given instructions and screenshots about how to pilfer user money, the complaint states.

When law enforcement searched Garrison’s home in February, they found programs used for credential stuffing attacks and files containing nearly 40 million username and password combinations, prosecutors said.

Investigators also found messages on Garrison’s phone discussing with his co-conspirators how to hack the betting site and how to make money off of it, the filing claims.

In one message, Garrison allegedly boasted about how good he was at credential stuffing attacks, saying that he loved to do it and thought he would never get caught, the feds said.

In June 2022, Garrison allegedly admitted to Madison Wisconsin Police to a hacking scheme he carried out from 2018 through 2021, claiming he made around $15,000 on a good day and that he pocketed $800,000 total, the complaint states.

But when the feds went through his phone they found a screenshot showing that he’d made over $2 million in sales in that scheme, the complaint alleges.

He also told the Wisconsin cops that he stopped hacking in 2021, the complaint claims.

Garrison is charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, unauthorized access to a protected computer, wire fraud and aggravated identity theft. He faces up to 20 years behind bars if convicted on the top count.

“As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars,” US Attorney Damian Williams said in a statement.  “Today, thanks to the work of my Office and the FBI, Garrison learned that you shouldn’t bet on getting away with fraud.”

Garrison turned himself in on Thursday.

His lawyer, Clay Kaminsky, declined to comment.