Communications of the ACM

ly on Google—because of legal constraints—many of the hack-for-hire services we interacted with also purported to be capable of breaking into other types of accounts. Figure 4 shows the prices of the hack-for-hire services as of Oct. 10, 2018. All prices are in U.S. dollars, converted from rubles. An indicates that the service’s advertised price was lower than the final payout requested.

Across these five services, hijacking Russian email providers was the least expensive offering, while hijacking a Google or Yahoo account was the most expensive. Breaking into a social media account fell in the middle of these two extremes. The advertisements for one of the services exhibited prices that changed over time, shown in Figure 5. The price of Google account hacking increased the most—from $123 to $384 per account over two years—while the cost of Russian email provider hacking has remained largely the same. These differences and price changes are probably the result of a multitude of factors such as demand, changes in security, and competition from other services.

Victims over time. Of the 27 unique services we contracted, only three were able to log into the victim email accounts successfully. Google analyzed associated metadata with the successful login attempts and found that all three services relied on an identical automation process for password validity checks, bypassing any security obstacles such as 2FA, and downloading the victim email archive. While the email sender and delivery addresses differed among the various contracts, the login automation process was the same across the eight months these services were contracted. Google was able to create a signature for this automated login fingerprint and retroactively analyze how many Gmail accounts had a suspicious login attempt.

Google identified 372 accounts tar-
geted by this automated login frame-
work from Mar. 16, 2018, to Oct. 15,
2018, or about one in every one million
Google users. Figure 6 shows the week-
ly breakdown of the number of tar-
geted Google accounts. Be aware that
these numbers are lower bounds, since
we cannot infer how many users were
targeted by these services but did not
click on the link (or provide their infor-
mation to grant access), only how many
users had an account that was accessed
by these services. Despite these limita-
tions, the volume of activity for hack-
for-hire services is quite small when
compared with other services such as
off-the-shelf phishing kits, which im-
pact more than 12 million users a year. 13
We suspect the hack-for-hire market is
small compared with other markets,
such as malware distribution.

Discussion

Overall, hack-for-hire services charging $100–$400 per contract were found to produce sophisticated, persistent, and personalized attacks able to bypass 2FA via phishing. The demand for these services, however, appears to be limited to a niche market, as evidenced by the small number of discoverable services, an even smaller number of successful services, and the fact that these attackers target only about one in a million Google users. Moreover, this market suffers from poor customer service, as many of the services were slow or inconsistent in their responses to our buyer personas.

Regardless of the behavior of the market, this study sheds light on the importance of security keys for populations who believe they are at risk, as only a security key can protect a user from the attacks viewed in this study. As the market evolves and defenses change, however, attacks might also change and shift from phishing to more persistent threats such as malware.

In conjunction with this study, Google introduced two new defenses to help protect against man-in-the-middle phishing, which in turn would protect against these services. Google now runs additional heuristics when you log in, and also prevents some forms of automated login frameworks. In addition, two of the services have nearly doubled the price of hacking Google accounts since Google rolled out the new protections to users, although it is not known if this price hike is coincidental or was caused by the increased Google protections.

Acknowledgments

Thanks to the co-authors of the origi-
nal research publication for their
feedback in writing this article: Kurt
Thomas, Geoffrey M. Voelker, Joe De-
Blasio, and Stefan Savage. Thanks to
Mikhail Kolomogorov for his signifi-
cant assistance, as well as translation
help from Kirill Levchenko, Vector Guo
Li, and Ivan Mikhailin. And thanks to
Shawn Loveland, Elie Bursztein, An-
gelika Moscicki, Tadek Pietraszek,
and Kashyap Puranik. This work was
supported in part by NSF grants CNS-
1629973 and CNS-1705050, and DHS
grant AFRL-FA8750-18-2-0087.

Related articles on queue.acm.org

Criminal Code

Thomas Wadlow, Vlad Gorelik https://queue.acm.org/detail.cfm?id=1180192

The Seven Deadly Sins of Linux Security Bob Toxen https://queue.acm.org/detail.cfm?id=1255423 The Web Won’t Be Safe or Secure until We Break It

Jeremiah Grossman https://queue.acm.org/detail.cfm?id=2390758

References

1. Anise, O., and Lady, K. State of the auth: Experiences and perceptions of multi-factor authentication. Duo Security, 2017; https://duo.sc/2kmOBid.

2. Cohen, W. W. Enron email dataset, 2015; https://www. cs.cmu.edu/~enron/.

3. Coonce, S. The most expensive lesson of my life: Protection Program; https://support.google.com/a/ answer/9010419.

5. Google. Protect your business with 2-Step Verification; https://support.google.com/a/answer/175197.

6. Google. Verify a user’s identity with extra security; https://support.google.com/a/answer/6002699.

7. Honan, M. How Apple and Amazon security flaws led to my epic hacking. Wired; https://www.wired. com/2012/08/apple-amazon-mat-honan-hacking/.

8. Liu, S., Foster, I., Savage, S., Voelker, G.M., Saul, L.K. Who is .com? Learning to parse WHOIS records.

In Proceedings of the ACM Internet Measurement Conf., 2015, 369–380; https://dl.acm.org/citation. cfm?id=2815675.2815693.

9. Matishak, M. How Podesta became a cybersecurity poster child. Politico 2016; https://politi.co/2m4fNmd.

10. Mirian, A., DeBlasio, J., Savage, S., Voelker, G.M., Thomas, K. Hack for hire: Exploring the emerging market for account hijacking. In Proceedings of the World Wide Web Conf., 2019, 1279–1289; https:// dl.acm.org/citation.cfm?id=3313489.

11. Onaolapo, J., Mariconti, E., Stringhini, G. What happens after you are pwnd: Understanding the use of leaked webmail credentials in the wild. In Proceedings of the ACM Internet Measurement Conf., 2016, 65–79; https://dl.acm.org/citation.cfm?id=2987475.

12. Thomas, K. et al. Framing dependencies introduced by underground commoditization. In Proceedings of the Workshop on the Economics of Information Security, 2015.

13. Thomas, K. et al. Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In Proceedings of the ACM Conf. Computer and Communications Security, 2017, 1421- 1434; https://dl.acm.org/citation.cfm?id=3134067.

Ariana Mirian is a Ph.D. student in the computer science and engineering department at the University of San Diego, CA, USA, where she focuses on understanding security and privacy via an empirical lens.