Hack for Hire: Exploring the Emerging Market for Account Hijacking
Abstract
Email accounts represent an enticing target for attackers, both for
the information they contain and the root of trust they provide to
other connected web services. While defense-in-depth approaches such
as phishing detection, risk analysis, and two-factor authentication
help to stem large-scale hijackings, targeted attacks remain a potent
threat due to the customization and effort involved. In this paper, we
study a segment of targeted attackers known as ``hack for hire''
services to understand the playbook that attackers use to gain access
to victim accounts. Posing as buyers, we interacted with 27 English,
Russian, and Chinese blackmarket services, only five of which
succeeded in attacking synthetic (though realistic) identities we
controlled. Attackers primarily relied on tailored phishing messages,
with enough sophistication to bypass SMS two-factor
authentication. However, despite the ability to successfully deliver
account access, the market exhibited low volume, poor customer
service, and had multiple scammers. As such, we surmise that retail
email hijacking has yet to mature to the level of other criminal
market segments.
the information they contain and the root of trust they provide to
other connected web services. While defense-in-depth approaches such
as phishing detection, risk analysis, and two-factor authentication
help to stem large-scale hijackings, targeted attacks remain a potent
threat due to the customization and effort involved. In this paper, we
study a segment of targeted attackers known as ``hack for hire''
services to understand the playbook that attackers use to gain access
to victim accounts. Posing as buyers, we interacted with 27 English,
Russian, and Chinese blackmarket services, only five of which
succeeded in attacking synthetic (though realistic) identities we
controlled. Attackers primarily relied on tailored phishing messages,
with enough sophistication to bypass SMS two-factor
authentication. However, despite the ability to successfully deliver
account access, the market exhibited low volume, poor customer
service, and had multiple scammers. As such, we surmise that retail
email hijacking has yet to mature to the level of other criminal
market segments.
Research Areas
