What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Credentials In The Wild
-
Upload
jeremiah-onaolapo -
Category
Science
-
view
200 -
download
0
Transcript of What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Credentials In The Wild
What Happens After You Are Pwned: Understanding The Use Of Leaked Webmail Credentials In The Wild
Jeremiah Onaolapo, Enrico Mariconti, and Gianluca StringhiniUniversity College London, [email protected]
ACM SIGCOMM Internet Measurement Conference (IMC’16)Santa Monica, CA
14th November, 2016
2
Introduction• Many services are hosted on the Web
• Valuable content in online accounts– Cloud storage, online dating, webmail, etc.
• Cybercriminals attack online accounts, sell credentials
(Bursztein et al. 2014; Herley and Florencio 2010; Stone-Gross et al. 2011)
3
Question
What happens to online accounts AFTER they are compromised by criminals?
4
Webmail Account “Hub”
Webmail account
Cloud storage
links
Bank account details
Password reset links
Usernames and
passwords
Other sensitive
info
5
Previous Work• Malicious activity in webmail accounts
(Bursztein et al. 2014)
• No publicly available infrastructure to monitor compromised webmail accounts
• Until now...
6
Our Contribution• We developed an infrastructure to help
researchers understand what happens to compromised webmail accounts
(we release it publicly)
• We set up an instance to study actions and access patterns of cybercriminals on compromised webmail accounts
7
Our Pipeline
1 • Create and populate honey accounts
2 • Configure monitor infrastructure
3 • Leak honey accounts
4 • Record and analyze data
8
Our Infrastructure• Honeypot system of webmail accounts and
monitoring infrastructure
• Components– Webmail accounts (honey accounts)– Sinkhole mail server– Notification store– Mail client– Monitor scripts– Malware sandbox
9
Infrastructure Details• Google Apps Script in honey accounts
– Monitor actions in the accounts
• Other scripts login periodically to collect information about accesses – IP addresses, timestamps of accesses, browser info,
OS info, etc.
• Heartbeat messages• Sinkhole mail server mitigates spam
10
Malware SandboxWe wanted to simulate webmail login by humans on infected computers
Our infrastructure does the following:• Host creates virtual machine (VM)• VM requests (honey credentials, malware)
from host• VM installs malware in self • VM now infected
11
Malware Sandbox• VM runs script to start web browser• Script performs login to honey account via web
browser• Malware steals honey credentials, sends them
to C&C server• Repeat the process
Malware operator harvests honey credentials later
12
Ethical Considerations• Sinkhole mail server mitigates spam
• Close collaboration with Google to pay particular attention to honey accounts
• Bandwidth and traffic restrictions in malware sandbox
(Rossow et al. 2012)
• Obtained ethics approval from UCL
13
Experiment Setup• We created 100 Gmail honeypot accounts• Populated them using the Enron corpus• We leaked account credentials via popular
paste sites, underground forums, and malware
• Thus mimicking modus operandi of cybercriminals
14
Experiment Setup• We included decoy UK and US location
information in some leaks, not in others– London, UK and Pontiac, MI as midpoints
• The idea was to study the impact of availability of location information on illegitimate accesses
• We also leaked some credentials through malware
15
Formats Of Leaks
16
Gmail accounts LeAkEd!!!
[username1]:[password1][username2]:[password2]…[username10]:[password10]
.:.gmail login.:.
[username11]:[password11] 16 May 1990 Luton, UK[username12]:[password12] 22 Aug 1974 Uxbridge, UK…[username20]:[password20] 5 Dec 1975 Slough, UK
Gmail logins hacked by .:pHisH3R:.
[username21]:[password21] 16 Jun 1979 Chicago, IL[username22]:[password22] 15 Mar 1970 Indianapolis, IN…[username30]:[password30] 5 Sep 1989 Wichita, KS
Results As Of Feb. 2016• Total number of honey accounts: 100
• Duration of experiment: 7 months
• Total number of unique accesses: 327
• Number of countries of accesses: 29
• We discovered some location tricks!– We plotted median distances from decoy locations
17
Connections appear from locations closer to decoy cities when provided. UK decoy midpoint: London. 18
Connections appear from locations closer to decoy cities when provided. US decoy midpoint: Pontiac, MI. 19
Types Of Accesses
Curious – just check if accounts are realGold Diggers – look for sensitive infoSpammers – send spamHijackers – change the password (locking the owner out)
(Types are not exclusive)
20
Types Of Accesses Per Outlet
Malware Paste Sites Underground Forums0.0
0.2
0.4
0.6
0.8
1.0
Act
ivity
frac
tion
Curious
Gold Digger
Hijacker
Spammer
21
Malware accesses are the stealthiest
Access Duration
0 5 10 15 20 25 30 35 40Duration of accesses (in days)
0.0
0.2
0.4
0.6
0.8
1.0C
DF
CuriousGold DiggerSpammerHijacker
22
Operating Systems
Malware Paste Sites Underground Forums0.0
0.2
0.4
0.6
0.8
1.0
OS
frac
tion
Android
Chrome OS
Linux
Mac OSX
Windows
Unknown
23
Interesting to find Android there!
Browsers
Malware Paste Sites Underground Forums0.0
0.2
0.4
0.6
0.8
1.0
Bro
wse
rfrac
tion
Vivaldi
Firefox
Chrome
Opera
Edge
Explorer
Iceweasel
Unknown
24
Interesting Case StudiesAshley Madison blackmailer• The blackmailer “kindly” included bitcoin tutorials • Also created many draft emails• A lookup on the attacker’s bitcoin wallet revealed
some payments• We believe the attacker used other webmail
accounts to reach the victims, since all emails from our honey accounts were sinkholed
(Also recall that Google was monitoring the honey accounts)
25
Interesting Case StudiesAnother attacker registered on a carding forum using a honey account as registration email address
Shows that attempts were made to use honey accounts as stepping stones for other attacks
26
27
Concluding Remarks
Key Takeaways• Public Gmail honeypot infrastructure
• Provision of location info affects login behavior• Nature of activity depends on outlet of leak• Forum accesses are least stealthy• Paste accesses from closer locations• Malware accesses are super-stealthy
A hierarchy of sophistication?
28
Limitations• Google’s rate-limiting of account creation
places restrictions on the number of honey accounts
• Leaks limited to a few outlets (paste, underground forums, malware)
• Could not study recent information-stealing malware, for instance Dridex
(would not execute in our virtualized environment)
• Attackers could find the embedded scripts and remove them
29
Future Work• Make accounts more realistic
• Setup additional scenarios– Such as targeted malware attacking journalists
• Study the modus operandi of attackers taking over other types of accounts– Such as OSNs and cloud storage accounts
• Criminologists are already using our infrastructure to answer research questions
30
Press CoverageHow hackers handle stolen login data BBC Technology (17-10-2016) http://www.bbc.co.uk/news/technology-37510501
This Is What Hackers Actually Do With Your Stolen Personal Information The Huffington Post (17-10-2016) http://www.huffingtonpost.co.uk/entry/what-hackers-actually-do-with-your-stolen-personal-information_uk_58049f32e4b0e982146cd18f
And others
31
ReferencesElie Bursztein et al. “Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild.” In: ACM SIGCOMM Internet Measurement Conference (IMC), 2014.
Cormac Herley and Dinei Florencio. “Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy.” In: Economics of Information Security and Privacy, 2010.
Martin Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini, "Honey Sheets: What Happens To Leaked Google Spreadsheets?” In: USENIX Workshop on Cyber Security Experimentation and Test (CSET), 2016.
Christian Rossow et al. “Prudent practices for designing malware experiments: Status quo and outlook.” In: IEEE Symposium on Security and Privacy, 2012.
Brett Stone-Gross et al. “The underground economy of spam: A botmaster’s perspective of coordinating large-scale spam campaigns.” In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2011.
32
Thanks!Questions?
[email protected]@jerryola
Honeypot infrastructure code available at https://bitbucket.org/gianluca_students/gmail-honeypot
33
Sneak Peek Into Related Dark Web Study• Total number of honey accounts: 100
• Duration of experiment: 1 month
• Total number of unique accesses: 1109(Recall that the Surface Web experiment recorded 327 accesses in 7 months)
• Number of countries of accesses: 57
34