Hack for Hire: Exploring the Emerging Market for Account Hijacking

Mirian, Ariana; DeBlasio, Joe; Savage, Stefan; Voelker, Geoffrey M.; Thomas, Kurt

doi:10.1145/3308558.3313489

Cited by 24 publications

(9 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our study of the fraud market for Google services is related to other exploration of fraud markets [55,[74][75][76]. For instance, Dou et al [37] developed a honeypot app and collect data to detect fraudulent bot-generated downloads.…”

Section: Related Workmentioning

confidence: 99%

“…For instance, Dou et al [37] developed a honeypot app and collect data to detect fraudulent bot-generated downloads. Mirian et al [55] explore the market for Gmail account hijacking by creating synthetic but realistic victim personas and hiring services to hack into such accounts, while DeBlasio et al [36] characterize the search engine fraud ecosystem using ground truth data internal to the Bing search engine. Stringhini et al [74] studied Twitter follower markets by purchasing followers from different merchants and used such ground truth to discover patterns and detect market-controlled accounts in the wild.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

RacketStore: Measurements of ASO Deception in Google Play via Mobile and App Usage

Hernandez,

Recabarren,

Carbunar

et al. 2021

Preprint

View full text Add to dashboard Cite

Online app search optimization (ASO) platforms that provide bulk installs and fake reviews for paying app developers in order to fraudulently boost their search rank in app stores, were shown to employ diverse and complex strategies that successfully evade state-of-theart detection methods. In this paper we introduce RacketStore, a platform to collect data from Android devices of participating ASO providers and regular users, on their interactions with apps which they install from the Google Play Store. We present measurements from a study of 943 installs of RacketStore on 803 unique devices controlled by ASO providers and regular users, that consists of 58,362,249 data snapshots collected from these devices, the 12,341 apps installed on them and their 110,511,637 Google Play reviews. We reveal significant differences between ASO providers and regular users in terms of the number and types of user accounts registered on their devices, the number of apps they review, and the intervals between the installation times of apps and their review times. We leverage these insights to introduce features that model the usage of apps and devices, and show that they can train supervised learning algorithms to detect paid app installs and fake reviews with an F1-measure of 99.72% (AUC above 0.99), and detect devices controlled by ASO providers with an F1-measure of 95.29% (AUC = 0.95). We discuss the costs associated with evading detection by our classifiers and also the potential for app stores to use our approach to detect ASO work with privacy. CCS CONCEPTS• Security and privacy → Social network security and privacy; Social aspects of security and privacy;

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

RacketStore: Measurements of ASO Deception in Google Play via Mobile and App Usage

Hernandez,

Recabarren,

Carbunar

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Microsoft have been promoting password-less authentication both for business (Windows Hello for Business [23]) and other users (Microsoft Authenticator App [24]) and these can work well in a Microsoft environment. Instead of promoting 2FA based on text messages and one-time passwords, or proprietary solutions, in this paper we discuss how a greater emphasis should be placed on password-less solutions using public key cryptography, which offer far better levels of security (thwarting phishing attacks [26]), usability and reduced management costs [37].…”

Section: Adoption Of Password-less Authenticationmentioning

confidence: 99%

An Interoperable Architecture for Usable Password-Less Authentication

Casey¹,

Manulis

Newton

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Passwords are the de facto standard for authentication despite their significant weaknesses. While businesses are currently focused on implementing multi-factor authentication to provide greater security, user adoption is still low. An alternative, WebAuthn, uses cryptographic key pairs to provide password-less authentication. WebAuthn has been standardised and is resilient to phishing attacks. However, its adoption is also very low; the barriers to adoption include usability and resilience of keys. We propose a novel architecture for password-less authentication designed to improve usability and deployability. Our architecture is based on the WebAuthn standards and supports registration and login to web-services. We support a WebAuthn authenticator that generates and uses the key pairs on the client device by providing resilience for these key pairs by using a backup key store in the cloud. We also propose a WebAuthn authenticator using a key store in the cloud so that passwordless authentication can be used interoperably between devices. We also assess the properties of these architectures against identified threats and how they can form the basis for improving usability and lowering the technical barriers to adoption of password-less authentication.

show abstract

“…I share our key findings here, but more details can be found in the full article. 10 Email lures and phishing. All of the attacks started with an email lure to the victim account.…”

Section: Hack-for-hire Playbookmentioning

confidence: 99%

Hack for hire

Mirian

2019

Commun. ACM

Self Cite

View full text Add to dashboard Cite

A SINGLE EMAIL address often underpins one's entire online identity, from banks, to business, to social media profiles and more. This identity is used not only when registering for this multitude of services, but also when passwords for these services must be reset. Thus, an attacker gaining access to an email account poses the risk of compromising all the other services tied to that account as well. Politicians, journalists, and cryptocurrency folks have all been the victims of targeted attacks that started with access to their email accounts that then wreaked havoc on other online accounts tied to those email accounts. 3,7,9 Since email accounts can provide a wealth of information, many types of attacks target them: password guessing, access token theft, password reset fraud, and phishing, to name a few. Email providers have added mechanisms such as security questions, spam filtering, and two-factor authentication to limit the success rate

show abstract

Hack for Hire: Exploring the Emerging Market for Account Hijacking

Cited by 24 publications

References 15 publications

RacketStore: Measurements of ASO Deception in Google Play via Mobile and App Usage

RacketStore: Measurements of ASO Deception in Google Play via Mobile and App Usage

An Interoperable Architecture for Usable Password-Less Authentication

Hack for hire

Contact Info

Product

Resources

About