Online accounts are inherently valuable resources both for the data they contain and the reputation they accrue over time. Unsurprisingly, this value drives criminals to steal, or hijack, such accounts. In this paper we focus on manual account hijacking account hijacking performed manually by humans instead of botnets. We describe the details of the hijacking workflow: the attack vectors, the exploitation phase, and post-hijacking remediation. Finally we share which defense strategies we found effective at Google to curb manual hijacking.
Handcrafted fraud and extortion: manual account hijacking in the wild
- Download Slides • Publication • Bibtex
- Conference Internet Measurement Conference 2014
- Authors Elie Bursztein , Borbala Benko , Daniel Margolis , Tadek Pietraszek , Andy Archer , Allan Aquino , Andreas Pitsillidis , Stefan Savage
Selected press articles
Hijackers get up close and personal with hacked accounts
USA Today - Elizabeth Weise - Nov 2014
Downloads
PDFThis is how your Gmail account got hacked
CNN - Jose Pagliery - Nov 2014
Downloads
PDFInside the world of professional e-mail account hijackers
The Washington Post - Andrea Peterson - Nov 2014
Downloads
PDFGoogle Study Finds Email Scams Are More Effective Than You’d Expect
Huffington Post - Damon Beres - Nov 2014
Downloads
PDFGone in 180 Seconds: Hackers Quickly Raid E-Mails in Search of 'Wire Transfer' and Sex Photos
Bloomberg - Jordan Robertson - Nov 2014
Downloads
PDF
