Dutch police have warned 20,000 email users to change their logins after discovering the addresses on the computer of a rogue web developer who harvested them from websites into which he’d inserted covert access.
The investigation into the unnamed 35 year-old Dutch web developer dates back over two years and seems to have ended up being more like peeling back the layers of an onion than the examination of a digital crime scene.
Suspicions were first aroused in November 2014 when a member of the public filed a police report claiming that someone had ripped off their financial credentials to buy goods.
As more complaints surfaced and police started joining dots, their attention turned to an individual who’d been hired to build e-commerce websites for a range of companies.
By the time he was arrested in July 2016, police had worked out that the site-building operation was a front for a crime operation that sniffed user names and passwords using scripts hidden on those sites.
It’s not clear from the Dutch police account whether this might be better described a classic “backdoor” or an elaborate keylogging operation but the effect was much the same: anyone who used websites built by the accused could be targeted for money and goods fraud.
From an initial victim list of 140 cases last year, police now estimate that the email and social media accounts of up to 20,000 people were accessed, hence the urgency of new warnings.
What’s clear is this was no opportunist crime. The accused gambled using other people’s identities and even impersonated people on social media to persuade their relatives to give him money.
To make matters worse, police believe other scammers might now be exploiting the incident to target Dutch users with bogus police warnings contain a malicious download.
As unusual as this kind of web developer crime might be, the first takeaway is for companies to do due diligence on people handed the job of building e-commerce sites.
But a more mundane them worth paying attention to is the way that password stuffing using the same password on lots of sites makes this kind of crime possible. Rid the world of that wholly avoidable flaw and a lot of the damage done by ‘Mr BadDev’ wouldn’t have been possible in the first place.