A recent report published by Google and academics from the University of California, San Diego, shows that online hacker-for-hire services are ineffective scams.
The research team stated: “Using unique online buyer personas, we engaged directly with 27 such account hacking service providers and asked them with compromising victim accounts of our choosing.
“These victims in turn were ‘honey pot’ Gmail accounts, operated in coordination with Google, and allowed us to record key interactions with the victim as well as with other fabricated aspects of their online persona that we created (e.g., business web servers, email addresses of friends or partner).”
Researchers explained that out of the 27 hacking services they engaged with, 10 did not reply to their queries, 12 replied but never actually attempted to launch an attack, and only five ended up launching attacks against the test Gmail accounts.
Of the 12 who responded but did not launch any attacks, nine were no longer hacking Gmail accounts, while the other three were deemed to be frauds.
Automated tools were not used during the attacks and the hackers-for-hire generally charged between $100 and $500 for their services.
The hackers utilised spear-phishing to fine-tune attacks for each victim by implementing social engineering. Some hackers requested details from the targeted victim, while others opted to employ re-usable email phishing templates.
- Stack Overflow Confirms Internal Network Hack
- Spoofed radio Signals Could Allow Hackers to ‘Hijack’ Aircraft
Unusually, among the five hackers who launched an attack, one of them tried to infect the victim with malware (a remote access trojan) rather than phish the victim’s account credentials. Once installed, the malware can then recover passwords and authentication cookies from local browsers.
In addition, one attacker also succeeded in bypassing two-factor authentication (2FA) by redirecting the victim to a spoofed Google login page that harvested both passwords, SMS codes and then checked the validity of both in real time.
The research team also discovered that hackers who learned they would have to bypass 2FA often doubled their prices.
Researchers observed that prices for hacking Gmail accounts has also increased from $125 in 2017 to around $400 in 2019. The price increase has been attributed to Google improving account security measures.
The research team stated: “As a whole, we find that the commercialized account hijacking ecosystem is far from mature.
“We frequently encountered poor customer service, slow responses, and inaccurate advertisements for pricing.
“Further, the current techniques for bypassing 2FA can be mitigated with the adoption of U2F security keys”.
Researchers have emphasised that they do not view the hacker-for-hire services as a threat to users accounts due to the high price of the services and the low-quality service they provide.