October is a magical time for sports fans. Major League Baseball playoffs culminate in crowning a World Series champion, the National Football League season is well underway, and the National Basketball Association and National Hockey League tip-off and puck-drop, respectively.
While there are so many games, viewers may have trouble figuring out how to watch them. In recent years, games have been increasingly broadcast on cable television and subscription-only networks. In addition, each league offers streaming packages that can cost hundreds of dollars per year.
The price is presumably too steep for many fans, so they may look for illegal methods to tune in. One option is acquiring compromised streaming credentials on underground venues, including dark web markets and forums, as well as paste sites and messaging platforms such as Telegram.
25 MLB.TV accounts shared on an underground forum.
14 NFL Sunday Ticket accounts were shared on an underground forum. They include usernames and passwords.
Many actors offer credentials for free. “Free” is an attractive price, but this may cause many actors to attempt to log in, which raises the risk that the provider will detect the compromise.
Therefore, actors seeking more stable credentials might decide to pay. For under $10, actors can buy (theoretically) exclusive usernames and passwords, ensuring that the account is less likely to be shut down.
An NBA League Pass account for sale on an underground market for $5.99.
A Telegram message advertising a link to the actor’s market, which sells many accounts, including NFL Game Pass.
By the numbers
We took a closer look to understand the volume of pro sports streaming accounts shared on the underground. We searched underground forums, markets, and messaging platforms for the previous two years (10/1/20-9/30/22) and found 31,324 posts sharing or selling streaming accounts.
About 49% of these involved NBA League Pass credentials, while the NFL’s Sunday Ticket and Game Pass came in second. MLB was in third place, with the NHL a distant fourth.
We also looked into ESPN+, the online streaming service for the popular all-sports network. During the same period, it vastly outpaced all individual sports leagues combined; we found 59,148 posts referencing ESPN+ accounts. Often, these were shared in large quantities bundled with Disney+ accounts (as Disney owns ESPN).
450 Disney+ accounts, which include Hulu+ and ESPN+ access, shared on an underground market.
Attackers could have harvested these credentials in several ways. The first is through credential stuffing, in which attackers take usernames and passwords from large data breaches and use automated tools to try them against other services. As users tend to recycle passwords, many logins might be successful.
A second way to harvest passwords is by using infostealer malware. While this malware might be an attack vector for significant ransomware attacks, attackers can also use it to glean credentials for individual accounts.
Underground access markets list machines infected with infostealer malware by the millions, with access to an endpoint costing around $4-10. Their posts include lists of resources (logged-in accounts).
A compromised endpoint that includes access to NFL Game Pass.
We discovered 17,978 posts in access markets from the last two years that included credentials for a streaming service of one of the pro sports leagues. The distribution followed a similar pattern, with the NBA accounting for nearly 45%, followed by the NFL, MBL, and NHL.
While there were not many access market logins specifically for ESPN+, during this time, there were 212,441 listings selling access to compromised endpoints with access to Disney+.
Fortunately for the leagues, mitigating streaming credential theft is no Hail Mary. First, they should attempt to identify credential misuse by detecting anomalous logins. Second, they should monitor the underground to discover compromised credentials and pinpoint prominent actors that distribute them.
Users who pay hundreds of dollars for streaming access should protect their accounts with strong, unique passwords and multifactor authentication. They should also be wary of attempts to takeover accounts, such as phishing and social engineering. It’s a simple game plan, but it will get them into the endzone.