Online accounts are inherently valuable resources both for the data they contain and the reputation they accrue over time. Unsurprisingly, this value drives criminals to steal, or hijack, such accounts. In this paper we focus on manual account hijacking account hijacking performed manually by humans instead of botnets. We describe the details of the hijacking workflow: the attack vectors, the exploitation phase, and post-hijacking remediation. Finally we share which defense strategies we found effective at Google to curb manual hijacking.
Handcrafted fraud and extortion: manual account hijacking in the wild
Available Media
Conference
Internet Measurement Conference 2014
Authors
Elie Bursztein , Borbala Benko , Daniel Margolis , Tadek Pietraszek , Andy Archer , Allan Aquino , Andreas Pitsillidis , Stefan Savage
Citation: Bibtex
Selected Press articles
USA Today | Elizabeth Weise | Nov 2014
Hijackers get up close and personal with hacked accountsThe Washington Post | Andrea Peterson | Nov 2014
Inside the world of professional e-mail account hijackersCNN | Jose Pagliery | Nov 2014
This is how your Gmail account got hackedHuffington Post | Damon Beres | Nov 2014
Google Study Finds Email Scams Are More Effective Than You’d ExpectBloomberg | Jordan Robertson | Nov 2014
Gone in 180 Seconds: Hackers Quickly Raid E-Mails in Search of 'Wire Transfer' and Sex Photos