count, at-risk populations should use
a security key as their 2FA protection,
as that code is unphishable.
Post compromise. Upon gaining access to a victim’s account, hack-for-hire
services start to remove any evidence of
compromise and ensure their ability to
regain access if needed. Services that
gained access to our victim accounts
proceeded to sign in to each account
and remove all Google email notifications related to a new device sign-in
from both the inbox and trash. None of
the services changed the password, but
we did observe three services remove
the 2FA authentication and recovery
number from our victim accounts
quickly after they gained entry. We presume they took this step to ensure the
buyer could gain access to the account
and so that the service itself could regain access to the account, but we did
not see any service log into the account
after the initial login. In essence, the
services took precautions to remove
their digital footprint from the Google
accounts they were breaking into.
Once the email account was accessed, all but one of the services initiated a portability feature in Google
called Takeout, allowing them to download the victim account’s email content, and provided the parcel of information to the buyer persona. Only one
service avoided logging into our victim
account and provided the password to
the buyer persona without using it first.
These findings highlight an emerging
risk with data portability and regulations around streamlining access to
user data. While intended to improve
usability for users, capabilities such
as Takeout also increase the ease with
which a single hijacking can expose all
user data to a service. Since this study,
Google has added more step-up verification on sensitive account actions.
Real Victims and Market Activity
Based on our findings from this process, we analyzed the forums of the
most successful services to understand their pricing for other services.
Moreover, we present an estimate of
the number of real victims affected by
these services based on login traces
from Google. Our findings suggest this
market is quite niche.
Alternative services and pricing.
While our investigation focused main-
Figure 4. Purported prices to access various accounts.
Target Service A Service B Service C Service D* Service E*
Mail.ru $77 $77 $62 $54 $77
Rambler $152 $108 $77 $77 $108
Yandex $106 $108 $77 $77 $108
Gmail $384 $385 $92 $77 Negotiable
Yahoo $384 $231 $92 — —
Facebook $306 — — — —
Instagram $306 — — — $231
Figure 5. Monthly prices for service A.
Figure 6. Accounts associated with hack-for-hire services.