ly on Google—because of legal constraints—many of the hack-for-hire services we interacted with also purported
to be capable of breaking into other types
of accounts. Figure 4 shows the prices of
the hack-for-hire services as of Oct. 10,
2018. All prices are in U.S. dollars, converted from rubles. An indicates that
the service’s advertised price was lower
than the final payout requested.
Across these five services, hijacking
Russian email providers was the least
expensive offering, while hijacking a
Google or Yahoo account was the most
expensive. Breaking into a social media account fell in the middle of these
two extremes. The advertisements for
one of the services exhibited prices that
changed over time, shown in Figure 5.
The price of Google account hacking
increased the most—from $123 to $384
per account over two years—while the
cost of Russian email provider hacking
has remained largely the same. These
differences and price changes are probably the result of a multitude of factors
such as demand, changes in security,
and competition from other services.
Victims over time. Of the 27 unique
services we contracted, only three
were able to log into the victim email
accounts successfully. Google analyzed associated metadata with the
successful login attempts and found
that all three services relied on an
identical automation process for
password validity checks, bypassing
any security obstacles such as 2FA,
and downloading the victim email
archive. While the email sender and
delivery addresses differed among
the various contracts, the login automation process was the same across
the eight months these services were
contracted. Google was able to create
a signature for this automated login
fingerprint and retroactively analyze
how many Gmail accounts had a suspicious login attempt.
Google identified 372 accounts tar-
geted by this automated login frame-
work from Mar. 16, 2018, to Oct. 15,
2018, or about one in every one million
Google users. Figure 6 shows the week-
ly breakdown of the number of tar-
geted Google accounts. Be aware that
these numbers are lower bounds, since
we cannot infer how many users were
targeted by these services but did not
click on the link (or provide their infor-
mation to grant access), only how many
users had an account that was accessed
by these services. Despite these limita-
tions, the volume of activity for hack-
for-hire services is quite small when
compared with other services such as
off-the-shelf phishing kits, which im-
pact more than 12 million users a year. 13
We suspect the hack-for-hire market is
small compared with other markets,
such as malware distribution.
Discussion
Overall, hack-for-hire services charging $100–$400 per contract were found
to produce sophisticated, persistent,
and personalized attacks able to bypass 2FA via phishing. The demand for
these services, however, appears to be
limited to a niche market, as evidenced
by the small number of discoverable
services, an even smaller number of
successful services, and the fact that
these attackers target only about one
in a million Google users. Moreover,
this market suffers from poor customer service, as many of the services were
slow or inconsistent in their responses
to our buyer personas.
Regardless of the behavior of the
market, this study sheds light on the
importance of security keys for populations who believe they are at risk, as only
a security key can protect a user from
the attacks viewed in this study. As the
market evolves and defenses change,
however, attacks might also change
and shift from phishing to more persistent threats such as malware.
In conjunction with this study,
Google introduced two new defenses
to help protect against man-in-the-middle phishing, which in turn would
protect against these services. Google
now runs additional heuristics when
you log in, and also prevents some
forms of automated login frameworks.
In addition, two of the services have
nearly doubled the price of hacking
Google accounts since Google rolled
out the new protections to users, although it is not known if this price
hike is coincidental or was caused by
the increased Google protections.
Acknowledgments
Thanks to the co-authors of the origi-
nal research publication for their
feedback in writing this article: Kurt
Thomas, Geoffrey M. Voelker, Joe De-
Blasio, and Stefan Savage. Thanks to
Mikhail Kolomogorov for his signifi-
cant assistance, as well as translation
help from Kirill Levchenko, Vector Guo
Li, and Ivan Mikhailin. And thanks to
Shawn Loveland, Elie Bursztein, An-
gelika Moscicki, Tadek Pietraszek,
and Kashyap Puranik. This work was
supported in part by NSF grants CNS-
1629973 and CNS-1705050, and DHS
grant AFRL-FA8750-18-2-0087.
Related articles
on queue.acm.org
Criminal Code
Thomas Wadlow, Vlad Gorelik
https://queue.acm.org/detail.cfm?id=1180192
The Seven Deadly Sins of Linux Security
Bob Toxen
https://queue.acm.org/detail.cfm?id=1255423
The Web Won’t Be Safe or Secure
until We Break It
Jeremiah Grossman
https://queue.acm.org/detail.cfm?id=2390758
References
1. Anise, O., and Lady, K. State of the auth: Experiences
and perceptions of multi-factor authentication. Duo
Security, 2017; https://duo.sc/2kmOBid.
2. Cohen, W. W. Enron email dataset, 2015; https://www.
cs.cmu.edu/~enron/.
3. Coonce, S. The most expensive lesson of my life:
Protection Program; https://support.google.com/a/
answer/9010419.
5. Google. Protect your business with 2-Step Verification;
https://support.google.com/a/answer/175197.
6. Google. Verify a user’s identity with extra security;
https://support.google.com/a/answer/6002699.
7. Honan, M. How Apple and Amazon security flaws
led to my epic hacking. Wired; https://www.wired.
com/2012/08/apple-amazon-mat-honan-hacking/.
8. Liu, S., Foster, I., Savage, S., Voelker, G.M., Saul, L.K.
Who is .com? Learning to parse WHOIS records.
In Proceedings of the ACM Internet Measurement
Conf., 2015, 369–380; https://dl.acm.org/citation.
cfm?id=2815675.2815693.
9. Matishak, M. How Podesta became a cybersecurity
poster child. Politico 2016; https://politi.co/2m4fNmd.
10. Mirian, A., DeBlasio, J., Savage, S., Voelker, G.M.,
Thomas, K. Hack for hire: Exploring the emerging
market for account hijacking. In Proceedings of the
World Wide Web Conf., 2019, 1279–1289; https://
dl.acm.org/citation.cfm?id=3313489.
11. Onaolapo, J., Mariconti, E., Stringhini, G. What happens
after you are pwnd: Understanding the use of leaked
webmail credentials in the wild. In Proceedings of
the ACM Internet Measurement Conf., 2016, 65–79;
https://dl.acm.org/citation.cfm?id=2987475.
12. Thomas, K. et al. Framing dependencies introduced
by underground commoditization. In Proceedings
of the Workshop on the Economics of Information
Security, 2015.
13. Thomas, K. et al. Data breaches, phishing, or
malware? Understanding the risks of stolen
credentials. In Proceedings of the ACM Conf.
Computer and Communications Security, 2017, 1421-
1434; https://dl.acm.org/citation.cfm?id=3134067.
Ariana Mirian is a Ph.D. student in the computer science
and engineering department at the University of San
Diego, CA, USA, where she focuses on understanding
security and privacy via an empirical lens.
Copyright held by author/owner.
Publication rights licensed to ACM.