of defenses to address such threats—including challenge questions
to protect password reset actions, mail scanning to filter out clear
phishing lures, and two-factor authentication mechanisms to protect
accounts against password theft [7–9]. Indeed, while few would
claim that email account theft is a solved problem, modern defenses
have dramatically increased the costs incurred by attackers and thus
reduce the scale of such attacks.
However, while these defenses have been particularly valuable
against large-scale attacks, targeted attacks remain a more potent
problem. Whereas attackers operating at scale expect to extract small
amounts of value from each of a large number of accounts, targeted
attackers expect to extract large amounts of value from a small
number of accounts. This shift in economics in turn drives an entirely
different set of operational dynamics. Since targeted attackers focus
on specific email accounts, they can curate their attacks accordingly
to be uniquely effective against those individuals. Moreover, since
such attackers are unconcerned with scale, they can afford to be far
nimbler in adapting to and evading the defenses used by a particular
target. Indeed, targeted email attacks—including via spear-phishing
and malware—have been implicated in a wide variety of high-profile
data breaches against government, industry, NGOs and universities
alike [10, 12, 13, 31].
While such targeted attacks are typically regarded as the domain
of sophisticated adversaries with significant resources (e.g., state actors, or well-organized criminal groups with specific domain knowledge), it is unclear whether that still remains the case. There is a long
history of new attack components being developed as vertically integrated capabilities within individual groups and then evolving into
commoditized retail service offerings over time (e.g., malware authoring, malware distribution, bulk account registration, AV testing,
etc. [27]). This transition to commoditization is commonly driven
by both a broad demand for a given capability and the ability for
specialists to reduce the costs in offering it at scale.
In this paper, we present the first characterization of the retail
email account hacking market. We identified dozens of underground
“hack for hire” services offered online (with prices ranging from
$100 to $500 per account) that purport to provide targeted attacks to
all buyers on a retail basis. Using unique online buyer personas, we
engaged directly with 27 such account hacking service providers and
tasked them with compromising victim accounts of our choosing.
These victims in turn were “honey pot” Gmail accounts, operated in
coordination with Google, and allowed us to record key interactions
with the victim as well as with other fabricated aspects of their online
persona that we created (e.g., business web servers, email addresses
Range of attacker options. We did not know a priori what methods
the hacking services would use to gain access to victim email
accounts. Since there are many possibilities, including brute-force
password attacks, phishing attacks on the victim, and malwarebased attacks on the victim’s computers, we created a sufficiently hack instagram account
rich online presence to give attackers the opportunity to employ a
variety of different approaches.
The remainder of this section details the steps we took to achieve
these goals when creating fictitious victims, the monitoring infrastructure we used to capture interactions with our fake personas, and hire a hacker
the selection of “hack for hire” services we engaged with.
Victim Identities. Each victim profile consisted of an email address, a strong randomly-generated password, and a name. While
each of our victims ‘lived’ in the United States, in most cases
we chose popular first and last names for them in the native language of the hacking service, such as “Natasha Belkin” when hiring a Russian-language service.1 The email address for the victim
was always a Gmail address related to the victim name to further
reinforce that the email account was related to the victim (e.g.,
[email protected]). We loaded each email account
with a subset of messages from the Enron email corpus to give the
impression that the email accounts were in use [5]. We changed
names and domains in the Enron messages to match those of our
victim and the victim’s web site domain (described below), and also
changed the dates of the email messages to be in this year.
Each victim Gmail account used SMS-based 2-Factor Authentication (2FA) linked to a unique phone number.2 As Gmail encourages
users to enable some form of 2FA, and SMS-based 2FA is the most
utilized form, configuring the accounts accordingly enabled us to
explore whether SMS-based 2FA was an obstacle for retail attackers
who advertise on underground markets [1] (in short, yes, as discussed
in detail in Section 3.4).
Online Presence. For each victim, we created a unique web site to
enhance the fidelity of their online identity. These sites also provided
an opportunity for attackers to attempt to compromise the web server
as a component of targeting the associated victim (server attacks
did not take place). Each victim’s web site represented either a
fictitious small business, a non-governmental organization (NGO),
or a blog. The sites included content appropriate for its purported
function, but also explicitly provided contact information (name
and email address) of the victim and their associates (described
shortly). We hosted each site on its own server (hosted via thirdparty service providers unaffiliated with our group) named via a
unique domain name. We purchased these domain names at auction
to ensure that each had an established registration history (at least
one year old) and the registration was privacy-protected to prevent
post-sale attribution to us (privacy protection is a common practice;
one recent study showed that 20% of .com domains are registered
in this fashion [17]). The sites were configured to allow third-party
crawling, and we validated that their content had been incorporated
into popular search engine indexes before we contracted for any
hacking services. Finally, we also established a passive Facebook
