Netherlands Police is reaching out to potential victims via email this week after finding the cache of credentials on the seized laptop, which were used to illegally access victims’ email and social media accounts, commit fraud and identity theft.
The developer acquired the trove of credentials over several years from 140 websites he’d built for business customers in the Netherlands. Besides building e-commerce features, he’d planted a hidden script to capture their customers’ credentials for the online stores.
“Those credentials he then used to break into email and social media accounts of customers of those shops,” the police said.
It’s also reminded consumers to use different passwords for each online account, noting that in this case the man used logins he’d acquired from one online shop to access social media and email accounts.
The man’s motivation for running the racket was likely to feed his gambling addiction, according to police. He had used other people’s identity cards to register with online gambling sites, and used breached social media accounts to pose as family and dupe victims in to transferring money to an online payment service, which he then moved to credit cards and spent.
Police arrested the unnamed 35-year old developer in July after a two-and-a-half year investigation triggered by a report by a retailer over a single fraudulent order. The investigation was widened in mid-2016 after the scale of the fraud became clear. It then announced his arrest and activities in October, ahead of a court hearing.
Police say they’ve approached affected companies in the Netherlands, advising them to scan for the presence of the script. It also recommend using reputable web developers or to have the online shop vetted by someone other than the developer.
Scammers appear to have latched on to the plan to email victim accounts this week, with reports that people have received email that appear to be sent by the police with links in the body. Netherlands police noted the emails it’s sending this week contain no links as there's nothing to download.