A vast majority of research focuses on
automated and/or botnet exploits, which makes sense when considering the
number of victims affected. However, a research team from Google and
the University of California, San Diego chose a different path, looking
at "manual account hacking." Exploits that are rare -- less than nine
incidents for every one million people who use Google daily. "However,
the damage manual hijackers incur is far more severe and distressing to
users and can result in significant financial loss," the researchers
mention in their paper Handcrafted fraud and extortion: Manual account hijacking in the wild. "These needle-in-a-haystack attacks are very challenging and represent an ongoing threat to internet users.
Types of account hijacking
To start, there are two types of account hijacks: ●
Automated account hijacking: Attacks that try to compromise user
accounts via botnets or spam networks. This attack uses automated tools,
attempting to maximize the attacker's ROI by scamming a small amount of
money from thousands of victims. ● Manual account hijacking: The
bad guys hijack accounts looking for ways to steal money, ransom
applications or data, leverage contact information for future attacks,
or use sensitive personal data against the victim. To explain the
difference between automated exploits and manual attacks, the paper
mentions, "Manual hijackers spend significant non-automated effort on
profiling victims and maximizing the profit -- or damage -- they can
extract from a single credential."
Image: Google
The
graph to the right depicts the relationship between number of accounts
hijacked and the "depth of exploitation." It seems we can be thankful
the more prevalent automated exploits are less exploitative.
Steal email credentials and profile the victim
The
first step is stealing a victim's account login information. The paper
mentions the most sought-after account is email followed by online
financial accounts. For this discussion, the focus will be limited to
email-account hijacking. Once attackers have the login
information, they decide quickly whether the account is worth further
effort. The paper explains, "If the brief account value exploration
yields promising results, the hijackers spend an additional 15 to 20
minutes per account sifting through emails, and finding ways to monetize
the account." The hijackers are hoping to find emails holding
financial or personal data they can use on the current victim or improve
their chances of exploiting the victim's contacts by making the scam
email supposedly from the victim seem more realistic. The
profiling portion of the attack was of special interest to the
researchers. They mention, "This systematic assessment phase and the
fact that certain accounts are not exploited suggest that manual
hijackers are 'professional' and follow a well-established playbook
designed to maximize profits." The researchers offer more evidence that well-organized groups are behind manual account hijacks: ●
The individuals seemed to work according to a tight daily schedule.
They started around the same time every day, and had a synchronized,
one-hour lunch break. They were inactive over the weekends. ● All
individuals followed the same daily time table, defining when to
process the gathered password lists, and how to divide time between
ongoing scams and new victims. ● They were operating from
different IPs, on different victims, and in parallel with each other,
but the tools and utilities they used were the same. They also shared
certain resources such as phone numbers. More validation for experts who contend online-crime syndicates are run with business-like precision.
Exploiting the victim's contacts
Most
individuals, at one time or another, have received an email where
someone is in trouble and needs money. Almost at once the scam is
dismissed because the email -- an automated account hijacking attempt --
makes little sense. However, manual account hijacks are different.
Being non-automated, attackers can inject material to personalizing the
scam email. The research team mentions there is a distinct pattern to most of the scam emails. They all tend to have: ● A story with credible details to limit the victim suspicion. ● Words or phrases that evoke sympathy and aim to persuade. ●
An appearance of limited financial risk for the plea recipient as
financial requests are requests for a loan with concrete promises of
speedy repayment. ● Language that discourages the plea recipient
from trying to verify the story by contacting the victim through another
means of communication, often through claims that the victim's phone
was stolen. ● An untraceable, fast, and hard-to-revoke yet safe-looking money transfer mechanism.
Defense strategies
The
research paper then describes what email providers can do to prevent
manual account hacking. Sadly, there are precious few for-sure user
defenses other than second-factor authentication -- if it is available
use it. Two-factor authentication will thwart the bad guys.
Posts
