What Happens After You Are Pwned: Understanding The Use Of Leaked Webmail Credentials In The Wild

Jeremiah Onaolapo, Enrico Mariconti, and Gianluca StringhiniUniversity College London, UKj.onaolapo@cs.ucl.ac.uk

ACM SIGCOMM Internet Measurement Conference (IMC’16)Santa Monica, CA

14th November, 2016

2

Introduction•  Many services are hosted on the Web

•  Valuable content in online accounts– Cloud storage, online dating, webmail, etc.

•  Cybercriminals attack online accounts, sell credentials

(Bursztein et al. 2014; Herley and Florencio 2010; Stone-Gross et al. 2011)

3

Question

What happens to online accounts AFTER they are compromised by criminals?

4

Webmail Account “Hub”

Webmail account

Cloud storage

links

Bank account details

Password reset links

Usernames and

passwords

Other sensitive

info

5

Previous Work•  Malicious activity in webmail accounts

(Bursztein et al. 2014)

•  No publicly available infrastructure to monitor compromised webmail accounts

•  Until now...

6

Our Contribution•  We developed an infrastructure to help

researchers understand what happens to compromised webmail accounts

(we release it publicly)

•  We set up an instance to study actions and access patterns of cybercriminals on compromised webmail accounts

7

Our Pipeline

1 • Create and populate honey accounts

2 • Configure monitor infrastructure

3 •  Leak honey accounts

4 • Record and analyze data

8

Our Infrastructure•  Honeypot system of webmail accounts and

monitoring infrastructure

•  Components– Webmail accounts (honey accounts)– Sinkhole mail server– Notification store– Mail client– Monitor scripts– Malware sandbox

9

Infrastructure Details•  Google Apps Script in honey accounts

–  Monitor actions in the accounts

•  Other scripts login periodically to collect information about accesses –  IP addresses, timestamps of accesses, browser info,

OS info, etc.

•  Heartbeat messages•  Sinkhole mail server mitigates spam

10

Malware SandboxWe wanted to simulate webmail login by humans on infected computers

Our infrastructure does the following:•  Host creates virtual machine (VM)•  VM requests (honey credentials, malware)

from host•  VM installs malware in self •  VM now infected

11

Malware Sandbox•  VM runs script to start web browser•  Script performs login to honey account via web

browser•  Malware steals honey credentials, sends them

to C&C server•  Repeat the process

Malware operator harvests honey credentials later

12

Ethical Considerations•  Sinkhole mail server mitigates spam

•  Close collaboration with Google to pay particular attention to honey accounts

•  Bandwidth and traffic restrictions in malware sandbox

(Rossow et al. 2012)

•  Obtained ethics approval from UCL

13

Experiment Setup•  We created 100 Gmail honeypot accounts•  Populated them using the Enron corpus•  We leaked account credentials via popular

paste sites, underground forums, and malware

•  Thus mimicking modus operandi of cybercriminals

14

Experiment Setup•  We included decoy UK and US location

information in some leaks, not in others–  London, UK and Pontiac, MI as midpoints

•  The idea was to study the impact of availability of location information on illegitimate accesses

•  We also leaked some credentials through malware

15

Formats Of Leaks

16

Gmail accounts LeAkEd!!!

[username1]:[password1][username2]:[password2]…[username10]:[password10]

.:.gmail login.:.

[username11]:[password11] 16 May 1990 Luton, UK[username12]:[password12] 22 Aug 1974 Uxbridge, UK…[username20]:[password20] 5 Dec 1975 Slough, UK

Gmail logins hacked by .:pHisH3R:.

[username21]:[password21] 16 Jun 1979 Chicago, IL[username22]:[password22] 15 Mar 1970 Indianapolis, IN…[username30]:[password30] 5 Sep 1989 Wichita, KS

Results As Of Feb. 2016•  Total number of honey accounts: 100

•  Duration of experiment: 7 months

•  Total number of unique accesses: 327

•  Number of countries of accesses: 29

•  We discovered some location tricks!–  We plotted median distances from decoy locations

17

Connections appear from locations closer to decoy cities when provided. UK decoy midpoint: London. 18

Connections appear from locations closer to decoy cities when provided. US decoy midpoint: Pontiac, MI. 19

Types Of Accesses

Curious – just check if accounts are realGold Diggers – look for sensitive infoSpammers – send spamHijackers – change the password (locking the owner out)

(Types are not exclusive)

20

Types Of Accesses Per Outlet

Malware Paste Sites Underground Forums0.0

0.2

0.4

0.6

0.8

1.0

Act

ivity

frac

tion

Curious

Gold Digger

Hijacker

Spammer

21

Malware accesses are the stealthiest

Access Duration

0 5 10 15 20 25 30 35 40Duration of accesses (in days)

0.0

0.2

0.4

0.6

0.8

1.0C

DF

CuriousGold DiggerSpammerHijacker

22

Operating Systems

Malware Paste Sites Underground Forums0.0

0.2

0.4

0.6

0.8

1.0

OS

frac

tion

Android

Chrome OS

Linux

Mac OSX

Windows

Unknown

23

Interesting to find Android there!

Browsers

Malware Paste Sites Underground Forums0.0

0.2

0.4

0.6

0.8

1.0

Bro

wse

rfrac

tion

Vivaldi

Firefox

Chrome

Opera

Edge

Explorer

Iceweasel

Unknown

24

Interesting Case StudiesAshley Madison blackmailer•  The blackmailer “kindly” included bitcoin tutorials •  Also created many draft emails•  A lookup on the attacker’s bitcoin wallet revealed

some payments•  We believe the attacker used other webmail

accounts to reach the victims, since all emails from our honey accounts were sinkholed

(Also recall that Google was monitoring the honey accounts)

25

Interesting Case StudiesAnother attacker registered on a carding forum using a honey account as registration email address

Shows that attempts were made to use honey accounts as stepping stones for other attacks

26

27

Concluding Remarks

Key Takeaways•  Public Gmail honeypot infrastructure

•  Provision of location info affects login behavior•  Nature of activity depends on outlet of leak•  Forum accesses are least stealthy•  Paste accesses from closer locations•  Malware accesses are super-stealthy

A hierarchy of sophistication?

28

Limitations•  Google’s rate-limiting of account creation

places restrictions on the number of honey accounts

•  Leaks limited to a few outlets (paste, underground forums, malware)

•  Could not study recent information-stealing malware, for instance Dridex

(would not execute in our virtualized environment)

•  Attackers could find the embedded scripts and remove them

29

Future Work•  Make accounts more realistic

•  Setup additional scenarios–  Such as targeted malware attacking journalists

•  Study the modus operandi of attackers taking over other types of accounts–  Such as OSNs and cloud storage accounts

•  Criminologists are already using our infrastructure to answer research questions

30

Press CoverageHow hackers handle stolen login data BBC Technology (17-10-2016) http://www.bbc.co.uk/news/technology-37510501

This Is What Hackers Actually Do With Your Stolen Personal Information The Huffington Post (17-10-2016) http://www.huffingtonpost.co.uk/entry/what-hackers-actually-do-with-your-stolen-personal-information_uk_58049f32e4b0e982146cd18f

And others

31

ReferencesElie Bursztein et al. “Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild.” In: ACM SIGCOMM Internet Measurement Conference (IMC), 2014.

Cormac Herley and Dinei Florencio. “Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy.” In: Economics of Information Security and Privacy, 2010.

Martin Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini, "Honey Sheets: What Happens To Leaked Google Spreadsheets?” In: USENIX Workshop on Cyber Security Experimentation and Test (CSET), 2016.

Christian Rossow et al. “Prudent practices for designing malware experiments: Status quo and outlook.” In: IEEE Symposium on Security and Privacy, 2012.

Brett Stone-Gross et al. “The underground economy of spam: A botmaster’s perspective of coordinating large-scale spam campaigns.” In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2011.

32

Thanks!Questions?

j.onaolapo@cs.ucl.ac.uk@jerryola

Honeypot infrastructure code available at https://bitbucket.org/gianluca_students/gmail-honeypot

33

Sneak Peek Into Related Dark Web Study•  Total number of honey accounts: 100

•  Duration of experiment: 1 month

•  Total number of unique accesses: 1109(Recall that the Surface Web experiment recorded 327 accesses in 7 months)

•  Number of countries of accesses: 57

34