More Web Proxy on the site http://driver.im/

research-article

Open access

Hack for Hire: Exploring the Emerging Market for Account Hijacking

Authors:

Geoffrey M. Voelker,

Kurt ThomasAuthors Info & Claims

WWW '19: The World Wide Web Conference

Pages 1279 - 1289

https://doi.org/10.1145/3308558.3313489

Published: 13 May 2019 Publication History

All formats PDF

Abstract

Email accounts represent an enticing target for attackers, both for the information they contain and the root of trust they provide to other connected web services. While defense-in-depth approaches such as phishing detection, risk analysis, and two-factor authentication help to stem large-scale hijackings, targeted attacks remain a potent threat due to the customization and effort involved. In this paper, we study a segment of targeted attackers known as “hack for hire” services to understand the playbook that attackers use to gain access to victim accounts. Posing as buyers, we interacted with 27 English, Russian, and Chinese blackmarket services, only five of which succeeded in attacking synthetic (though realistic) identities we controlled. Attackers primarily relied on tailored phishing messages, with enough sophistication to bypass SMS two-factor authentication. However, despite the ability to successfully deliver account access, the market exhibited low volume, poor customer service, and had multiple scammers. As such, we surmise that retail email hijacking has yet to mature to the level of other criminal market segments.

References

[1]

Olabode Anise and Kyle Lady. State of the Auth: Experiences and Perceptions of Multi-Factor Authentication. Duo Security, https://duo.com/assets/ebooks/state-of-the-auth.pdf, November 2017. Accessed: 2018-10-22.

[2]

Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek, Andy Archer, Allan Aquino, Andreas Pitsillidis, and Stefan Savage. Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild. In Proceedings of the 2014 ACM Internet Measurement Conference (IMC), Vancouver, BC, Canada, November 2014.

Digital Library

[3]

Emilano De Cristofaro, Arik Friedman, Guillaume Jourjon, Mohamed Ali Kaafar, and M. Zubair Shafiq. Paying for Likes? Understanding Facebook Like Fraud Using Honeypots. In Proceedings of the 2014 ACMInternet Measurement Conference (IMC), Vancouver, BC, Canada, November 2014.

Digital Library

[4]

Serge Egelman, Lorrie Faith Cranor, and Jason Hong. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '08, pages 1065-1074, New York, NY, USA, 2008. ACM.

Digital Library

[5]

Enron Email Dataset. https://www.cs.cmu.edu/~enron/. Accessed: 2018-11-03.

[6]

Evilginx -- Advanced Phishing with Two-factor Authentication Bypass. https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/. Accessed: 2018-10-22.

[7]

Google. Add 2-Step Verification. https://support.google.com/a/answer/175197. Accessed: 2018-10-22.

[8]

Google. Guard Against Targeted Attacks. https://support.google.com/a/answer/9010419. Accessed: 2018-10-22.

[9]

Google. Verify a user's identity with a login challenge. https://support.google.com/a/answer/6002699. Accessed: 2018-10-22.

[10]

Garrett M. Graff. DOJ Indicts 9 Iranians For Brazen Cyberattacks Against 144 US Universities. Wired, https://www.wired.com/story/iran-cyberattacks-us-universities-indictment/. Accessed: 2018-10-22.

[11]

Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra añd Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Da mon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zub air Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, and Geoffrey M. Voelker. Manufacturing Compromise: The Emergence of Exploit-as-a-Service. In Proceedings of the ACM Conference on Computer and Communications Security, Raleigh, NC, October 2012.

Digital Library

[12]

Seth Hardy, Masashi Crete-Nishihata, Katharine Kleemola, Adam Senft, Byron Sonne, Greg Wiseman, Phillipa Gill, and Ronald J Deibert. Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 2014.

Digital Library

[13]

Ian Karambelas. Spear Phishing: The Secret Weapon Behind the Worst Cyber Attacks. Cloudmark, https://blog.cloudmark.com/2016/01/13/spear-phishing-secret-weapon-in-worst-cyber-attacks/, January 2016. Accessed: 2018-10-22.

[14]

Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Roza Romero-Go?ez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse. In Proceedings of the 2017 ACM Conference on Computer and Communications Security (CCS), Dallas, TX, USA, October 2017.

Digital Library

[15]

Ponnurangam Kumaraguru, Yong Rhee, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. In Proceedings of the 2007 Conference on Human Factors in Computing Systems (CHI), pages 905-914, San Jose, CA, USA, April 2007.

Digital Library

[16]

Stevens Le Blond, Adina Uritesc, Cédric Gilbert, Zheng Leong Chua, Prateek Saxena, and Engin Kirda. A Look at Targeted Attacks Through the Lense of an NGO. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 2014.

Digital Library

[17]

Suqi Liu, Ian Foster, Stefan Savage, Geoffrey M. Voelker, and Lawrence K. Saul. Who is.com? Learning to Parse WHOIS Records. In Proceedings of the 2015 ACM Internet Measurement Conference (IMC), Tokyo, Japan, October 2015.

Digital Library

[18]

William R Marczak and Vern Paxson. Social Engineering Attacks on Government Opponents: Target Perspectives. In Proceedings of the 17th Privacy Enhancing Technologies Symposium (PETS), Minneapolis, MN, USA, July 2017.

[19]

William R Marczak, John Scott-Railton, Morgan Marquis-Boire, and Vern Paxson. When Governments Hack Opponents: A Look at Actors and Technology. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 2014.

Digital Library

[20]

Grzegorz Milka. Anatomy of Account Takeover. Enigma, https://www.usenix.org/node/208154, January 2018.

[21]

Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. Re: CAPTCHAs: Understanding CAPTCHA-solving Services in an Economic Context. In Proceedings of the 19th USENIX Security Symposium, Washington, DC, USA, August 2010.

Digital Library

[22]

Adam Oest, Yeganeh Safei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Gary Warner. Inside a Phisher's Mind: Understanding the Anti-phishing Ecosystem Through Phishing Kit Analysis. In Proceedings of the 2018 APWG Symposium on Electronic Crime Research (eCrime), San Diego, CA, USA, September 2018.

[23]

Jeremiah Onaolapo, Enrico Mariconti, and Gianluca Stringhini. What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC), Santa Monica, CA, USA, November 2016.

Digital Library

[24]

Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. Who Falls for Phish?: A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. In Proceedings of the 2019 Conference on Human Factors in Computing Systems (CHI), pages 373-382, Atlanta, GA, USA, April 2010.

Digital Library

[25]

Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS), pages 88-99, July 2007.

Digital Library

[26]

Jonathan Skelker. Announcing some security treats to protect you from attackers' tricks. https://security.googleblog.com/2018/10/announcing-some-security-treats-to.html, October 2018.

[27]

Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Tom Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, and Giovanni Vigna. Framing Dependencies Introduced by Underground Commoditization. In Proceedings of the 2015 Workshop on the Economics of Information Security (WEIS), Delft, The Netherlands, June 2015.

[28]

Kurt Thomas, Dmytro Iatskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier, and Damon McCoy. Dialing Back Abuse on Phone Verified Accounts. In Proceedings of the 2014 ACM Conference on Computer and Communications Security (CCS), pages 465-476, Scottsdale, AZ, USA, November 2014.

Digital Library

[29]

Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Daniel Margolis, Vern Paxson, and Elie Bursztein. Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials. In Proceedings of the 2017 ACM Conference on Computer and Communications Security (CCS), Dallas, TX, USA, October 2017.

Digital Library

[30]

Kurt Thomas, Damon McCoy, Chris Grier, Alek Kolcz, and Vern Paxson. Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse. In Proceedings of the 22nd USENIX Security Symposium, Washington, DC, USA, August 2013.

Digital Library

[31]

Verizon. 2018 Data Beach Investigations Report. https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf. Accessed: 2018-10-22.

[32]

Virus Total. https://www.virustotal.com/#/home/upload. Accessed: 2018-10-22.

[33]

Yue Zhang, Jason I. Hong, and Lorrie F. Cranor. CANTINA: A Content-based Approach to Detecting PhishingWeb Sites. In Proceedings of the 16th International Conference on World Wide Web (WWW), pages 639-648, May 2007.

Digital Library

Cited By

Gao MChen SGao YZhang ZChen YLi YYe QWang XChen Y(2024)Detecting compromised accounts caused by phone number recycling on e-commerce platforms: taking Meituan as an example电子商务平台 “二次放号” 被盗账号检测研究: 以美团为例Frontiers of Information Technology & Electronic Engineering10.1631/FITEE.230029125:8(1077-1095)Online publication date: 30-Aug-2024
https://doi.org/10.1631/FITEE.2300291
Zaeifi MKalantari FOest ASun ZAhn GShoshitaishvili YBao TWang RDoupé AVilela JSchulmann HLi N(2024)Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial EcosystemProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653266(55-65)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653266
Siwakoti YBhurtel MRawat DOest AJohnson R(2024)Your IP Camera Can Be Abused for Payments: A Study of IoT Exploitation for Financial Services Leveraging Shodan and Criminal InfrastructuresIEEE Transactions on Consumer Electronics10.1109/TCE.2024.348270870:4(7562-7573)Online publication date: Nov-2024
https://doi.org/10.1109/TCE.2024.3482708
Show More Cited By

Recommendations

Hack for Hire: Investigating the emerging black market of retail email account hacking services
Machine Learning, Security

Hack-for-hire services charging $100-$400 per contract were found to produce sophisticated, persistent, and personalized attacks that were able to bypass 2FA via phishing. The demand for these services, however, appears to be limited to a niche market, ...
How to hack into Facebook without being a hacker
WWW '13 Companion: Proceedings of the 22nd International Conference on World Wide Web

The proliferation of online social networking services has aroused privacy concerns among the general public. The focus of such concerns has typically revolved around providing explicit privacy guarantees to users and letting users take control of the ...
Exploring Defense of SQL Injection Attack in Penetration Testing

SQLIA is adopted to attack websites with and without confidential information. Hackers utilized the compromised website as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '19: The World Wide Web Conference

May 2019

3620 pages

ISBN:9781450366748

DOI:10.1145/3308558

Editors:
Ling Liu
Georgia Tech, USA
,
Ryen White
Microsoft Research, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

IW3C2: International World Wide Web Conference Committee

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 May 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

WWW '19

WWW '19: The Web Conference

May 13 - 17, 2019

CA, San Francisco, USA

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
6,434
Total Downloads

Downloads (Last 12 months)2,845
Downloads (Last 6 weeks)317

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Gao MChen SGao YZhang ZChen YLi YYe QWang XChen Y(2024)Detecting compromised accounts caused by phone number recycling on e-commerce platforms: taking Meituan as an example电子商务平台 “二次放号” 被盗账号检测研究: 以美团为例Frontiers of Information Technology & Electronic Engineering10.1631/FITEE.230029125:8(1077-1095)Online publication date: 30-Aug-2024
https://doi.org/10.1631/FITEE.2300291
Zaeifi MKalantari FOest ASun ZAhn GShoshitaishvili YBao TWang RDoupé AVilela JSchulmann HLi N(2024)Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial EcosystemProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653266(55-65)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653266
Siwakoti YBhurtel MRawat DOest AJohnson R(2024)Your IP Camera Can Be Abused for Payments: A Study of IoT Exploitation for Financial Services Leveraging Shodan and Criminal InfrastructuresIEEE Transactions on Consumer Electronics10.1109/TCE.2024.348270870:4(7562-7573)Online publication date: Nov-2024
https://doi.org/10.1109/TCE.2024.3482708
Smirnova OHolt T(2024)Exploring and Estimating the Revenues of Cybercrime-As-Service Providers: Analyzing Booter and Stresser ServicesDeviant Behavior10.1080/01639625.2024.2373346(1-14)Online publication date: 28-Jun-2024
https://doi.org/10.1080/01639625.2024.2373346
Madarie Rde Poot CWeulen Kranenbarg M(2023)Criminal clickbait: a panel data analysis on the attractiveness of online advertisements offering stolen dataFrontiers in Big Data10.3389/fdata.2023.13205696Online publication date: 22-Dec-2023
https://doi.org/10.3389/fdata.2023.1320569
Garfinkel SStewart J(2023)Sharpening Your ToolsQueue10.1145/358782721:1(30-56)Online publication date: 28-Mar-2023
https://dl.acm.org/doi/10.1145/3587827
Siwakoti YBhurtel MRawat DOest AJohnson R(2023)Advances in IoT Security: Vulnerabilities, Enabled Criminal Services, Attacks and CountermeasuresIEEE Internet of Things Journal10.1109/JIOT.2023.3252594(1-1)Online publication date: 2023
https://doi.org/10.1109/JIOT.2023.3252594
Lee JChoi HYoon JKim S(2023)An Empirical Analysis of Incorrect Account Remediation in the Case of Broken AuthenticationIEEE Access10.1109/ACCESS.2023.334341111(141610-141627)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3343411
Liu JLiu RLai Y(2022)Risk-Based Dynamic Identity Authentication Method Based on the UCON ModelSecurity and Communication Networks10.1155/2022/25092672022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/2509267
Ye QGao YZhang ZChen YLi YGao MChen SWang XChen Y(2022)Modeling Access Environment and Behavior Sequence for Financial Identity Theft Detection in E-Commerce Services2022 International Joint Conference on Neural Networks (IJCNN)10.1109/IJCNN55064.2022.9892383(1-8)Online publication date: 18-Jul-2022
https://doi.org/10.1109/IJCNN55064.2022.9892383
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents