Email accounts represent an enticing target for attackers, both for the
information they contain and the root of trust they provide to other
connected web services. While defense-in-depth approaches such as
phishing detection, risk analysis, and two-factor authentication help
to stem large-scale hijackings, targeted attacks remain a potent threat
due to the customization and effort involved. In this paper, we study
a segment of targeted attackers known as “hack for hire” services to
understand the playbook that attackers use to gain access to victim
accounts. Posing as buyers, we interacted with 27 English, Russian,
and Chinese blackmarket services, only five of which succeeded in
attacking synthetic (though realistic) identities we controlled. Attackers primarily relied on tailored phishing messages, with enough
sophistication to bypass SMS two-factor authentication. However,
despite the ability to successfully deliver account access, the market exhibited low volume, poor customer service, and had multiple
scammers. As such, we surmise that retail email hijacking has yet to
mature to the level of other criminal market segments.
It has long been understood that email accounts are the cornerstone
upon which much of online identity is built. They implicitly provide
a root of trust when registering for new services and serve as the
backstop when the passwords for those services must be reset. As
such, the theft of email credentials can have an outsized impact—
exposing their owners to fraud across a panoply of online accounts.
Unsurprisingly, attackers have developed (and sell) a broad range
of techniques for compromising email credentials, including exploiting password reuse, access token theft, password reset fraud
and phishing among others. While most of these attacks have a
low success rate, when applied automatically and at scale, they
can be quite effective in harvesting thousands if not millions of
accounts [27]. In turn, email providers now deploy a broad range
of friends or partner). Along with longitudinal pricing data, our study
provides a broad picture of how such services operate—both in their
interactions with buyers and the mechanisms they use (and do not
use) to compromise victims.
We confirm that such hack for hire services predominantly rely on
social engineering via targeted phishing email messages, though one
service attempted to deploy a remote access trojan. The attackers
customized their phishing lures to incorporate details of our fabricated business entities and associates, which they acquired either
by scraping our victim persona’s website or by requesting the details during negotiations with our buyer persona. We also found
evidence of re-usable email templates that spoofed sources of authority (Google, government agencies, banks) to create a sense of
urgency and to engage victims. To bypass two-factor authentication,
the most sophisticated attackers redirected our victim personas to a
spoofed Google login page that harvested both passwords as well as
SMS codes, checking the validity of both in real time. However, we
found that two-factor authentication still proved an obstacle: attackers doubled their price upon learning an account had 2FA enabled.
Increasing protections also appear to present a deterrent, with prices
for Gmail accounts at one service steadily increasing from $125 in
2017 to $400 today.
As a whole, however, we find that the commercialized account
hijacking ecosystem is far from mature. Just five of the services we
contacted delivered on their promise to attack our victim personas.
The others declined, saying they could not cover Gmail, or were
outright scams. We frequently encountered poor customer service,
slow responses, and inaccurate advertisements for pricing. Further,
the current techniques for bypassing 2FA can be mitigated with
the adoption of U2F security keys. We surmise from our findings,
including evidence about the volume of real targets, that the commercial account hijacking market remains quite small and niche. With
prices commonly in excess of $300, it does not yet threaten to make
targeted attacks a mass market threat.
2 METHODOLOGY
In this section we describe our methodology for creating realistic,
but synthetic, victims to use as targets, the infrastructure we used to
monitor attacker activity, and the services we engaged with to hack
into our victim email accounts. We also discuss the associated legal
and ethical issues and how we addressed them in our work.
2.1 Victims
We created a unique victim persona to serve as the target of each
negotiation with a hack for hire service. We never re-used victim
personas between services, allowing us to attribute any attacks deployed against the persona back to the service we hired. In creating hack instagram accountvictim personas, we spent considerable effort to achieve three goals:
• Victim verisimilitude. We created synthetic victims that appeared
sufficiently real that the hacking services we hired would treat
them no differently from other accounts that they are typically
hired to hack into. hire a hacker
• Account non-attributability. We took explicit steps to prevent
attackers from learning our identities while we engaged with them
as buyers, when they interacted with us as victims, and even if
they successfully gained access to a victim email account