research-article

Free access

What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild

Authors:

Jeremiah Onaolapo,

Enrico Mariconti,

Gianluca StringhiniAuthors Info & Claims

IMC '16: Proceedings of the 2016 Internet Measurement Conference

Pages 65 - 79

https://doi.org/10.1145/2987443.2987475

Published: 14 November 2016 Publication History

Abstract

Cybercriminals steal access credentials to webmail accounts and then misuse them for their own profit, release them publicly, or sell them on the underground market. Despite the importance of this problem, the research community still lacks a comprehensive understanding of what these stolen accounts are used for. In this paper, we aim to shed light on the modus operandi of miscreants accessing stolen Gmail accounts. We developed an infrastructure that is able to monitor the activity performed by users on Gmail accounts, and leaked credentials to 100 accounts under our control through various means, such as having information-stealing malware capture them, leaking them on public paste sites, and posting them on underground forums. We then monitored the activity recorded on these accounts over a period of 7 months. Our observations allowed us to devise a taxonomy of malicious activity performed on stolen Gmail accounts, to identify differences in the behavior of cybercriminals that get access to stolen accounts through different means, and to identify systematic attempts to evade the protection systems in place at Gmail and blend in with the legitimate user activity. This paper gives the research community a better understanding of a so far understudied, yet critical aspect of the cybercrime economy.

Formats available

You can view the full content in the following formats:

References

[1]

Apps Script. https://developers.google.com/apps-script/?hl=en.

[2]

Dropbox User Credentials Stolen: A Reminder To Increase Awareness In House. http://www.symantec.com/connect/blogs/dropbox-user-credentials-stolen-reminder-increase-awareness-house.

[3]

Hackers Finally Post Stolen Ashley Madison Data. https://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/.

[4]

Overview of Google Apps Script. https://developers.google.com/apps-script/overview.

[5]

Pastebin. pastebin.com.

[6]

The Target Breach, By the Numbers. http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/.

[7]

S. Afroz, A. C. Islam, A. Stolerman, R. Greenstadt, and D. McCoy. Doppelg\"anger finder: Taking stylometry to the underground. In IEEE Symposium on Security and Privacy, 2014.

Digital Library

[8]

T. W. Anderson and D. A. Darling. Asymptotic theory of certain "goodness of fit" criteria based on stochastic processes. The Annals of Mathematical Statistics, 1952.

[9]

F. Benevenuto, G. Magno, T. Rodrigues, and V. Almeida. Detecting Spammers on Twitter. In Conference on Email and Anti-Spam (CEAS), 2010.

[10]

H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang. On the analysis of the Zeus botnet crimeware toolkit. In Privacy, Security and Trust (PST), 2010.

[11]

D. Boneh, S. Inguva, and I. Baker. SSL MITM Proxy. http://crypto.stanford.edu/ssl-mitm, 2007.

[12]

Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu. The socialbot network: when bots socialize for fame and money. In Annual Computer Security Applications Conference (ACSAC), 2011.

Digital Library

[13]

E. Bursztein, B. Benko, D. Margolis, T. Pietraszek, A. Archer, A. Aquino, A. Pitsillidis, and S. Savage. Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild. In ACM Internet Measurement Conference (IMC), 2014.

Digital Library

[14]

E. Butler. Firesheep. http://codebutler.com/firesheep, 2010.

[15]

H. Cramèr. On the composition of elementary errors. Skandinavisk Aktuarietidskrift, 1928.

[16]

A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. The Tangled Web of Password Reuse. In Symposium on Network and Distributed System Security (NDSS), 2014.

[17]

R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In ACM Conference on Human Factors in Computing Systems (CHI), 2006.

Digital Library

[18]

M. Egele, G. Stringhini, C. Kruegel, and G. Vigna. COMPA: Detecting Compromised Accounts on Social Networks. In Symposium on Network and Distributed System Security (NDSS), 2013.

[19]

M. Egele, G. Stringhini, C. Kruegel, and G. Vigna. Towards Detecting Compromised Accounts on Social Networks. In IEEE Transactions on Dependable and Secure Computing (TDSC), 2015.

[20]

T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social Phishing. Communications of the ACM, 50(10):94--100, 2007.

Digital Library

[21]

J. P. John, A. Moshchuk, S. D. Gribble, and A. Krishnamurthy. Studying Spamming Botnets Using Botlab. In USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2009.

Digital Library

[22]

B. Klimt and Y. Yang. Introducing the Enron Corpus. In Conference on Email and Anti-Spam (CEAS), 2004.

[23]

M. Lazarov, J. Onaolapo, and G. Stringhini. Honey Sheets: What Happens to Leaked Google Spreadsheets? In USENIX Workshop on Cyber Security Experimentation and Test (CSET), 2016.

[24]

K. Lee, J. Caverlee, and S. Webb. The social honeypot project: protecting online communities from spammers. In World Wide Web Conference (WWW), 2010.

Digital Library

[25]

B. Liu, Z. Liu, J. Zhang, T. Wei, and W. Zou. How many eyes are spying on your shared folders? In ACM Workshop on Privacy in the Electronic Society (WPES), 2012.

Digital Library

[26]

N. Nikiforakis, M. Balduzzi, S. Van Acker, W. Joosen, and D. Balzarotti. Exposing the Lack of Privacy in File Hosting Services. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2011.

Digital Library

[27]

N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In IEEE Symposium on Security and Privacy, 2013.

Digital Library

[28]

C. Rossow, C. J. Dietrich, C. Grier, C. Kreibich, V. Paxson, N. Pohlmann, H. Bos, and M. van Steen. Prudent practices for designing malware experiments: Status quo and outlook. In IEEE Symposium on Security and Privacy, 2012.

Digital Library

[29]

B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In ACM Conference on Computer and Communications Security (CCS), 2009.

Digital Library

[30]

B. Stone-Gross, T. Holz, G. Stringhini, and G. Vigna. The underground economy of spam: A botmaster's perspective of coordinating large-scale spam campaigns. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2011.

Digital Library

[31]

G. Stringhini, C. Kruegel, and G. Vigna. Detecting Spammers on Social Networks. In Annual Computer Security Applications Conference (ACSAC), 2010.

Digital Library

[32]

G. Stringhini and O. Thonnard. That Ain't You: Blocking Spearphishing Through Behavioral Modelling. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2015.

Digital Library

[33]

B. Taylor. Sender Reputation in a Large Webmail Service. In Conference on Email and Anti-Spam (CEAS), 2006.

[34]

K. Thomas, C. Grier, D. Song, and V. Paxson. Suspended accounts in retrospect: an analysis of Twitter spam. In ACM Internet Measurement Conference (IMC), 2011.

Digital Library

[35]

K. Thomas, D. McCoy, C. Grier, A. Kolcz, and V. Paxson. Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse. In USENIX Security Symposium, 2013.

Digital Library

[36]

D. Wang, Z. Zhang, P. Wang, J. Yan, and X. Huang. Targeted Online Password Guessing: An Underestimated Threat. In ACM Conference on Computer and Communications Security (CCS), 2016.

Digital Library

[37]

G. Wang, T. Konolige, C. Wilson, X. Wang, H. Zheng, and B. Y. Zhao. You are How You Click: Clickstream Analysis for Sybil Detection. In USENIX Security Symposium, 2013.

Digital Library

[38]

S. Webb, J. Caverlee, and C. Pu. Social Honeypots: Making Friends with a Spammer Near You. In Conference on Email and Anti-Spam (CEAS), 2008.

Cited By

Chitare NCoventry LNicholson J(2025)Exploring transparent communication for organisational cyber-resilience to sophisticated phishing attacksInformation & Computer Security10.1108/ICS-01-2025-0024Online publication date: 25-Sep-2025
https://doi.org/10.1108/ICS-01-2025-0024
Prabhaker NBopche GGupta DArock M(2025)Generation of Honeytokens for Relational Database Using Conditional Tabular Generative Adversarial Network (CTGAN)Hybrid Intelligent Systems10.1007/978-3-031-78928-1_13(119-129)Online publication date: 15-Jul-2025
https://doi.org/10.1007/978-3-031-78928-1_13
Rabzelj MSedlar U(2025)Beyond the Leak: Analyzing the Real-World Exploitation of Stolen Credentials Using HoneypotsSensors10.3390/s2512367625:12(3676)Online publication date: 12-Jun-2025
https://doi.org/10.3390/s25123676
Show More Cited By

Index Terms

Recommendations

Comments

View Table of Contents