Ariana Mirian
Abstract
Hack-for-hire services charging $100-$400 per contract were found to produce sophisticated, persistent, and personalized attacks that were able to bypass 2FA via phishing. The demand for these services, however, appears to be limited to a niche market, as evidenced by the small number of discoverable services, an even smaller number of successful services, and the fact that these attackers target only about one in a million Google users.
- Anise, O., Lady, K. 2017. State of the auth: experiences and perceptions of multi-factor authentication. Duo Security; https://duo.com/blog/state-of-the-auth-experiences-and-perceptions-of-multi-factor-authentication.Google Scholar
- Cohen, W. W. 2015. Enron email dataset; https://www.cs.cmu.edu/~enron/.Google Scholar
- Coonce, S. 2019. The most expensive lesson of my life: details of SIM port hack; https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124.Google Scholar
- Google. Protect users with the Advanced Protection Program; https://support.google.com/a/answer/9010419.Google Scholar
- Google. Protect your business with 2-Step Verification; https://support.google.com/a/answer/175197.Google Scholar
- Google. Verify a user's identity with extra security; https://support.google.com/a/answer/6002699.Google Scholar
- Honan, M. 2012. How Apple and Amazon security flaws led to my epic hacking. Wired; https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/.Google Scholar
- Liu, S., Foster, I., Savage, S., Voelker, G. M., Saul, L. K. 2015. Who is .com? Learning to parse WHOIS records. In Proceedings of the ACM Internet Measurement Conference (IMC), 369-380; https://dl.acm.org/citation.cfm?id=2815675.2815693.Google Scholar
- Matishak, M. 2016. How Podesta became a cybersecurity poster child. Politico; https://www.politico.com/story/2016/10/john-podesta-cybersecurity-hacked-emails-230122.Google Scholar
- Mirian, A., DeBlasio, J., Savage, S., Voelker, G. M., Thomas, K. 2019. Hack for hire: exploring the emerging market for account hijacking. In Proceedings of the World Wide Web Conference (WWW), 1279-1289; https://dl.acm.org/citation.cfm?id=3313489.Google ScholarDigital Library
- Onaolapo, J., Mariconti, E., Stringhini, G. 2016. What happens after you are pwnd: understanding the use of leaked webmail credentials in the wild. In Proceedings of the ACM Internet Measurement Conference (IMC), 65-79; https://dl.acm.org/citation.cfm?id=2987475.Google ScholarDigital Library
- Thomas, K., Huang, D. Y., Wang, D., Bursztein, E., Grier, C., Holt, T., Kruegel, C., McCoy, D., Savage, S., Vigna G. 2015. Framing dependencies introduced by underground commoditization. In Proceedings of the Workshop on the Economics of Information Security (WEIS).Google Scholar
- Thomas, K., Li, F., Zand, A., Barrett, J., Ranieri, J., Invernizzi, L., Markov, Y., Comanescu, O., Eranti, V., Moscicki, A., Margolis, D., Paxson, V., Bursztein, E. 2017. Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In Proceedings of the ACM Conference on Computer and Communications Security, 1421-1434; https://dl.acm.org/citation.cfm?id=3134067.Google ScholarDigital Library
Index Terms
- Hack for Hire: Investigating the emerging black market of retail email account hacking services
Recommendations
Hack for Hire: Exploring the Emerging Market for Account Hijacking
WWW '19: The World Wide Web ConferenceEmail accounts represent an enticing target for attackers, both for the information they contain and the root of trust they provide to other connected web services. While defense-in-depth approaches such as phishing detection, risk analysis, and two-...
Teaching students to hack: ethical implications in teaching students to hack at the university level
InfoSecCD '06: Proceedings of the 3rd annual conference on Information security curriculum developmentHacking has become a widespread problem with the onset of the digital age and the nearly universal access to the internet and other digital media. It is important for individuals, corporations, and the government to protect themselves from being ...
Reviews
Eduardo B. Fernandez
Email accounts usually include large amounts of sensitive information, including passwords for other accounts, financial information, contacts' information, business exchanges, and so on. Consequently, they make a valuable target for hackers. This has resulted in an emergent market for "hack-for-hire services," which provide targeted attacks for a rather small fee. A recent project was set up to study how hack-for-hire services attack victims and how effective they are. This article is a summary of this project; there is also a longer paper [1]. The researchers discovered 27 email hacking services, purchased these services, and then used them for eight months. Next they asked the hack-for-hire services to break into a set of fictitious victims; that is, they created a type of honeypot, with "buyer" and "victim" personas, and a monitoring framework to observe the behavior of the attacks. Although only five of the 27 hired services actually tried to break into the victim accounts, and only three were successful, the researchers were able to reach some valuable conclusions. Some of the attacks were quite sophisticated, bypassing SMS two-factor authentication (2FA), a common authentication protocol, via phishing. The authors recommend the use of universal 2nd factor (U2F) security keys because they cannot be broken by phishing. While this market is not yet a significant threat, it might become more effective in the future; thus their recommendations can be considered a serious warning. The article is clear and valuable for those interested in the modus operandi of Internet attacks.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments