What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild

Cybercriminals steal access credentials to webmail accounts and then misuse them for their own profit, release them publicly, or sell them on the underground market. Despite the importance of this problem, the research community still lacks a comprehensive understanding of what these stolen accounts are used for. In this paper, we aim to shed light on the modus operandi of miscreants accessing stolen Gmail accounts. We developed an infrastructure that is able to monitor the activity performed by users on Gmail accounts, and leaked credentials to 100 accounts under our control through various means, such as having information-stealing malware capture them, leaking them on public paste sites, and posting them on underground forums. We then monitored the activity recorded on these accounts over a period of 7 months. Our observations allowed us to devise a taxonomy of malicious activity performed on stolen Gmail accounts, to identify differences in the behavior of cybercriminals that get access to stolen accounts through different means, and to identify systematic attempts to evade the protection systems in place at Gmail and blend in with the legitimate user activity. This paper gives the research community a better understanding of a so far understudied, yet critical aspect of the cybercrime economy.

[1]  T. W. Anderson,et al.  Asymptotic Theory of Certain "Goodness of Fit" Criteria Based on Stochastic Processes , 1952 .

[2]  A. Martin-Löf On the composition of elementary errors , 1994 .

[3]  Yiming Yang,et al.  Introducing the Enron Corpus , 2004, CEAS.

[4]  Bradley Taylor,et al.  Sender Reputation in a Large Webmail Service , 2006, CEAS.

[5]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[6]  Calton Pu,et al.  Social Honeypots: Making Friends With A Spammer Near You , 2008, CEAS.

[7]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[8]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[9]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[10]  Kyumin Lee,et al.  The social honeypot project: protecting online communities from spammers , 2010, WWW '10.

[11]  Virgílio A. F. Almeida,et al.  Detecting Spammers on Twitter , 2010 .

[12]  Gianluca Stringhini,et al.  Detecting spammers on social networks , 2010, ACSAC '10.

[13]  Dawn Xiaodong Song,et al.  Suspended accounts in retrospect: an analysis of twitter spam , 2011, IMC '11.

[14]  Gianluca Stringhini,et al.  The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns , 2011, LEET.

[15]  Wouter Joosen,et al.  Exposing the Lack of Privacy in File Hosting Services , 2011, LEET.

[16]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[17]  Tao Wei,et al.  How many eyes are spying on your shared folders? , 2012, WPES '12.

[18]  Herbert Bos,et al.  Prudent Practices for Designing Malware Experiments: Status Quo and Outlook , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Gang Wang,et al.  Northeastern University , 2021, IEEE Pulse.

[20]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[21]  Vern Paxson,et al.  Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse , 2013, USENIX Security Symposium.

[22]  Gianluca Stringhini,et al.  COMPA: Detecting Compromised Accounts on Social Networks , 2013, NDSS.

[23]  Stefan Savage,et al.  Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild , 2014, Internet Measurement Conference.

[24]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[25]  Ariel Stolerman,et al.  Doppelgänger Finder: Taking Stylometry to the Underground , 2014, 2014 IEEE Symposium on Security and Privacy.

[26]  Gianluca Stringhini,et al.  That Ain't You: Blocking Spearphishing Through Behavioral Modelling , 2015, DIMVA.

[27]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[28]  Gianluca Stringhini,et al.  Honey Sheets: What Happens to Leaked Google Spreadsheets? , 2016, CSET @ USENIX Security Symposium.

[29]  Gianluca Stringhini,et al.  Towards Detecting Compromised Accounts on Social Networks , 2015, IEEE Transactions on Dependable and Secure Computing.

[30]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..