Communications of the ACM

I
M
A
G
E
B
Y
F
R
A
M
E
S
T
O
C
K
F
O
O
T
A
G
E
S
sending the 2FA code, preventing a user
from getting phished. Though the focus
of this investigation was on Google ac-
counts, the lessons learned generalize
well across email providers.
Discovery of services. The investiga-
tion of hack-for-hire services began by
searching English, Chinese, and Rus-
sian black market forums for adver-
tisements related to targeted account
hijacking. We also searched Google for
hijacking-specific keywords to identify
services with public-facing storefronts,
and we contacted the abuse teams of
large Internet companies for leads on
any such services they were tracking.
In all, 27 prospective hack-for-hire ser-
vices were identified. The majority of
these services advertised in Russian,
and ranged anywhere in price from $23
to $500 per contract.
Posing as a buyer. For every hack-for-
hire service contacted, we communicat-
ed via a unique “buyer persona” to pro-
tect our identity and to avoid linking our
interactions across services. Each per-
sona involved selecting a name in the
native language of the hack-for-hire ser-
vice. For example, if the service adver-
tised in Russian, then we chose a com-
mon first and last name in Russian for
our persona. We also created a Google
account for each persona to use for all
email communication. For non-English
services, a native speaker performed all
translation when communicating.
Selecting a victim. When contract-
ing hack-for-hire services, we created a
victim persona to serve as a target. The
victim persona was given a large digital
footprint to craft a realistic online pres-
ence. This meant creating a name and
Google account for the victim in a simi-
lar fashion to the buyer persona. The
victim persona’s inbox was populated
with a subset of messages from the
Enron email corpus to give the impres-
sion that the Google account was in ac-
tive use. 2 We replaced the names and
other identifying information from
the Enron messages with the victim’s
information. Moreover, the victim per-
sona’s Gmail address was protected by
SMS 2FA, the most widely used form of
2FA today. 1 This was used to determine
if the hack-for-hire services would be
able to bypass this type of protection.

In addition, we created a Web page that advertised a small business that the victim either owned or worked at. We purchased the domains of the Web pages from auction to ensure each domain had prior history. We also purchased privacy protection for each of the domains to protect the registration information (one recent study showed that 20 percent of domains are protected in this fashion, so we did not expect privacy protection to raise any red flags8). This webpage linked to the victim’s email address, as well as a fictitious associate’s email address. In this way we could determine if