Many online hacker-for-hire services are scammers or are very inefficient. This is shown by the recently published study Hack for Hire: Exploring the Emerging Market for Account Hijacking by Google and scientists from the University of California in San Diego, about which ZDNet reports.
The researchers created unique online buyer personas to contact the hack services. According to the survey, 10 of the 27 hack services approached never responded to their questions. 12 answered, but never tried to launch an attack. Only 5 services launched attacks on the honeypot Gmail accounts that the researchers targeted.
Honeypot accounts are used to lure attackers. It is a security mechanism to detect or prevent attempts at unauthorised use of information systems. They seem legitimate at first sight, but in fact they are isolated and controlled. Information that turns out to be a valuable resource for attackers is subsequently blocked.
These accounts allowed us to capture important interactions with the victim and other fabricated aspects of their online persona that we have created (e.g. business web servers and email addresses of friends or partner), according to the researchers.
Of the 12 hack services that never carried out an attack, 9 indicated that they no longer hack Gmail accounts. The remaining 3 services turned out to be pure scammers
Spearphishing
Hack services usually charge between $100 and $400 to launch an attack. In 2017, the average price was still around USD 125. Furthermore, the services do not use automated tools and the attacks are usually related to social engineering. This uses spearphishing, in which attackers use the victim’s personal data to gain trust.
A number of hackers asked for more information about the victim. On the other hand, others didn’t bother at all and chose the easy way, by reusing phishing templates. One of the hack services tried to infect the fictitious victim with malware instead of retrieving the victim’s account details.
Another attacker was more advanced and managed to bypass two-step authentication (2FA) by redirecting the victim to a fake Google login page. This page collected passwords and SMS codes to then check the validity of both in real time.
Overall, however, we see that the commercialised account hijacking ecosystem is far from mature. We often encountered poor customer service, slow responses and inaccurate pricing advertisements. Furthermore, current techniques for bridging 2FA can be limited by the adoption of U2F security keys, the researchers conclude.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.