practice
A SINGLE EMAIL address often underpins one’s entire
online identity, from banks, to business, to social
media profiles and more. This identity is used not only
when registering for this multitude of services, but
also when passwords for these services must be reset.
Thus, an attacker gaining access to an email account
poses the risk of compromising all the other services
tied to that account as well. Politicians, journalists,
and cryptocurrency folks have all been the victims of
targeted attacks that started with access to their email
accounts that then wreaked havoc on other online
accounts tied to those email accounts. 3, 7, 9
Since email accounts can provide a wealth of
information, many types of attacks target them: password
guessing, access token theft, password reset fraud, and
phishing, to name a few. Email providers have added
mechanisms such as security questions, spam filtering,
and two-factor authentication to limit the success rate
of these attacks. 4–6, 12 These defenses
prevent many compromises, thus in-
creasing the sophistication and time
needed to access accounts. Targeted
attackers, however, are willing to put
in the extra effort needed to access
an account in the face of these large-
scale defenses.
While targeted attacks are often
thought of as requiring nation-state
capabilities, there is an emerging black
market for “hack-for-hire” services,
which provide targeted attacks to anyone willing to pay a modest fee. These
services purport to be able to break into
the accounts of a variety of different
email providers, an example of which
is shown in Figure 1. As these services
are just emerging, little is known about
how they attack their victims and how
much of a risk they pose.
To understand this risk, we investigated the hack-for-hire black market,
identifying 27 retail email account
hacking services and purchasing these
services from them. Using covert iden-tities, we engaged with these services
to break into purported “victims”—in
truth, Google accounts that we controlled. Working with Google, we recorded both our interactions with the
hijackers and how these hijackers tried
to attack our victims.
To Catch a Hijacker
As a whole, the targeted hijacking black
market was riddled with scams, but a
handful of services launched sophisticated attacks that leveraged phishing as
their main attack vector. These attacks
were persistent, personalized, and able
to bypass SMS two-factor authentication (2FA). Using signals derived from
these attacks to identify other victims,
we estimate that attackers target about
one in every million Google accounts.
Given the sophistication of the phishing attacks, we believe that the best line
of defense for at-risk users is to protect
accounts with universal 2nd factor (U2F)
security keys as a 2FA mechanism. U2F
security keys protect against sophisticated phishing attacks because the U2F
protocol validates the domain before
Hack
for Hire
DOI: 10.1145/3359386
Article development led by
queue.acm.org
Investigating the emerging black market
of retail email account hacking services.
BY ARIANA MIRIAN