go account takeover is a big business underground

Meet The Underground Business of OG-Username Account Takeover Attacks

“Car.” “Chris.” “Lizard.” Online accounts with one-word names like these are known as “OG usernames,” and they’re prime targets for bad actors who steal, buy and sell access on a lucrative black market.

OG stands for “original gangster,” a reference to the fact that many of these usernames are held by early adopters of the apps and platforms in question. A recent episode of the Reply All podcast followed a Snapchat user named Lizzie whose OG username, “Lizard,” was stolen and eventually sold to someone who sent her harassing messages and threats. Lizzie got her account back with help from Snapchat tech support, but she still felt violated by the experience and stopped using Snapchat as much.

Lizzie’s story is unfortunately all too common for legitimate owners of OG usernames. Many may have experienced some of the inconveniences of having an extremely simple email address, Instagram handle or other login (like getting signed up for accounts at dozens of random websites you never visit, in security journalist Brian Krebs’ case). However, many OG account holders have no idea they’re sitting on an asset that’s potentially worth hundreds, thousands or even tens of thousands of dollars — or that they’re prime targets for account takeover attacks.

If you have an OG username on a social media app, email platform or anywhere else, you may want to take extra steps to protect yourself. Read on to find out more about the trade in OG usernames and what you can do to secure your account.

It doesn’t take much to be a (cyber)gangster, just a big dose of denial

The black market for OG usernames is its own complex online ecosystem. Cybercriminals hang out in dedicated Discord chats to swap tactics and brag about their latest exploits. There are entire websites dedicated to buying and selling OG usernames, and a whole group of middlemen who buy hacked accounts and sell them to the highest bidder. Some participants seem to collect OG usernames the way other people collect expensive sneakers.

Often in stories about cybercrime, the perpetrator is a generic “bad actor,” leaving us to imagine some kind of evil hacker mastermind hiding behind the digital curtain. However, in real life, cybercriminals are real human beings like you and I who have simply convinced themselves they aren’t doing anything wrong. This constant state of denial helps them justify what they do and still sleep at night.

For example, “Kevin” — the hacker who originally broke into Lizzie’s Snapchat account — said that he didn’t sell Lizard initially because it seemed like an active account (so, clearly he’s totally a good person). But when the same password still worked after a month, he told Lizzie that he “just assumed you didn’t care or you didn’t use it” — I mean, what is poor Kevin meant to do? He subtly shifts the blame to Lizzie for not protecting her account. The middleman in the story, who bought the Lizard username from Kevin, also said he doesn’t “feel so bad” about the whole thing, since he didn’t do anything illegal and Lizzie got her account back in the end anyway.

Statements like these make it a little easier to understand why cybercrime is so widespread. The hackers who steal credentials and the middlemen who buy them are only links in a long chain, and their link is never “the real problem.” They carefully choose to ignore how their actions help build the chain — and how that chain links to the victim. But cybercrime has real effects on real people. If you want to avoid becoming one of them, it makes sense to take steps to secure your OG account.

Common account takeover attacks

Cybercriminals use some of the same methods to steal OG usernames that they’d use in any other account takeover attack. The first tactic is simple: If the website or app in question has suffered a data breach, then hundreds, thousands or even millions of credentials may be available for sale online. A cybercriminal can simply buy that data and sort through it to find the OG usernames. If their passwords haven’t been updated since the breach, gaining access is easy.

Brute-forcing is another popular way for cybercriminals to steal OG accounts, particularly ones with weak passwords. Many attackers take lists of common passwords and use them to try to log into OG accounts. Unfortunately, this sloppy technique works more often than you’d think.

If your OG account is protected with a solid password, the next thing you have to worry about are credential stuffing attacks, where bad actors reuse passwords associated with your other accounts that have been compromised in previous breaches. If your OG account has the same password as an account that was breached, it will be at risk.

These types of attacks are often characterized by their velocity, as they test many credentials faster than a human being can. Some websites and apps use bot-detection solutions that identify and repel these high-volume attacks. However, cybercriminals are increasingly adopting new, more sophisticated credential-stuffing tactics that imitate human behavior and are much harder to detect.

Then there’s the trickiest type of attack to defend against: SIM swapping. In this complex attack, a cybercriminal first hijacks your cell phone number by calling your wireless provider and using stolen personal information to impersonate you. (“Hi, I’m Melissa Smith. I lost my SIM card and bought a new one, can you activate it?”) Once they convince the wireless provider that they are you — not a hard task — their SIM card will be linked to your phone number.

From there, all they have to do is submit a “forgot password” request in the app they’re targeting. The app will send a 2-factor authentication (2FA) code to your phone number, which now goes to the cybercriminal’s phone. Then they reset your password to whatever they want, locking you out of the account.

5 ways to protect your OG username

Account takeover attacks can happen to anyone, not just people with OG usernames. So even if your email or social media handle is unlikely to become a prime seller on OGUSERS.com, these steps can still help keep your accounts and personal information safe.

1. Use a strong password

A lot of people think a “strong password” means a complex string of random letters, numbers and symbols — after all, that’s the idea encoded in the password requirements of many websites and apps. But a password like “Unh4ck4bl3” is incredibly hard for a human to remember and relatively easy for a computer to crack. It’s fairly short — only 10 characters — which means a good algorithm could guess it within a few days.

You may be better off with a longer password that’s easier to remember and harder for a computer to guess. Try using a song lyric combined with another phrase like “UnderMyUmbrellaSmellsDrawer.”

2. Don’t reuse passwords

This is another reason not to use hard-to-remember passwords — you can only hold so many of them in your head, so you’re bound to reuse them. If you’re struggling to keep all your logins straight, you can also use a password manager like LastPass to store them somewhere secure.

3. Keep an eye on your email

If you receive an email saying someone tried to reset your account, don’t ignore it. Someone might have typed your email into the login screen by accident, but it could also be an account takeover attempt. Follow up with the app or website’s tech support immediately.

4. Know when you’ve been SIM swapped

When a cybercriminal hijacks your phone number, it’s easy to tell: Your phone will suddenly have zero bars and no service. If that happens to you, contact your wireless provider immediately and work on getting your phone number back. In the meantime, keep a close eye on any accounts that use two-factor authentication with your phone.

5. Check regularly for data breaches

As mentioned above, data breaches are an important source of information for cybercriminals to use in any type of account takeover attack. To make sure your information is safe, regularly input your email address into a website like haveibeenpwned.com to see if any associated accounts have been compromised. If one of your accounts was compromised in a breach, change the password immediately. If you use the same email for many accounts, those other accounts may be at risk, too, so consider changing more than just the one password.

The cybercriminal next door

Getting hacked is always unsettling, even if you regain access and secure your account before too much damage is done. It’s an unpleasant reminder that few digital platforms and tools are quite as secure as we wish they would be. In a world where the cybercriminal stealing your Twitter account could literally be the kid next door, it makes sense to be careful and take every precaution — whether you have a high-value OG username or not.

By Magali Vander Vorst, Marketing Content Manager, NuData Security