Hackers for hire – the good, the bad and the just-plain-scammers

Hackers for hire are a bunch of swindlers, according to research published last week by Google and academics from the University of California, San Diego.

The researchers were specifically interested in a segment of black-market services known as hackers for hire: the crooks you send in when you lack the hacking skills to do the job yourself and the morals that whisper in your ear that this is not a nice, or legal, thing to do.

Such services offer targeted attacks that remain a potent threat, the researchers said, due to the fact that they’re so tailored. Think of spearphishing or whaling attacks that are so convincing because they get all the details right, such as forging company invoices or setting up copycat log-in sites that steal account credentials.

That kind of thing takes effort. Fortunately, most hackers for hire aren’t up to the task, to say the least. Many were outright scams – not too surprising – and some wouldn’t even take on the job if it involved attacking Gmail. For those services that did agree to take on the challenge of hacking Gmail accounts, the cost ballooned over the course of two years, from $123 to $384 – with a peak of $461 in February 2018.

Yahoo hacking prices have tracked the same as Google, while Facebook and Instagram hacking prices have actually fallen to the current average of $307.

The researchers hypothesize that the price differences for hacking the various email providers and the change in pricing are likely driven by what they call both operational and economic factors: namely, Google and Yahoo have gotten better at protecting email accounts, while prices have increased as the market for a specific service shrinks:

Prices will naturally increase as the market for a specific service shrinks (reducing the ability to amortize sunk costs on back-end infrastructure for evading platform defenses) and also as specific services introduce more, or more effective, protection mechanisms that need to be bypassed (increasing the transactional cost for each hacking attempt).

Overall, hackers for hire are pleasingly incompetent… or frauds

What’s sure to keep people’s accounts secure is surely aggravating the weasels who want to pay somebody to take them over. Namely, the hijacking ecosystem is “far from mature,” the researchers concluded.

They tested it out by setting up bogus online buyer personas with which to approach 27 hacking-for-hire services. The researchers tasked those services with compromising particular victim accounts.

Those supposed “victims” were actually honeypot Gmail accounts operated in coordination with Google.

Only five of the services they contacted delivered on their promise to attack the supposed victims. The rest were scammers, demurred when it came to attacking Gmail accounts, or had lousy customer service, they said:

Just five of the services we contacted delivered on their promise to attack our victim personas. The others declined, saying they could not cover Gmail, or were outright scams. We frequently encountered poor customer service, slow responses, and inaccurate advertisements for pricing.

The other good news: U2F (Universal 2nd Factor) security keys are working, the researchers said:

Further, the current techniques for bypassing 2FA can be mitigated with the adoption of U2F security keys.

… we would be remiss were we not to mention that Google last week got U2F egg on its face when it had to recall its Titan Bluetooth U2F keys after finding a security flaw.

Google has argued that Titan keys are still more secure than relying on just a password for access, and true, an attacker has to to be within about 10 meters and has to launch their attack just as you press the button on your Titan key… and needs to know your username and password in advance.

So we’ll grant the researchers that point.

Sum it all up, and the researchers don’t think the hackers-for-hire market is a large-scale threat at this point:

We surmise from our findings, including evidence about the volume of real targets, that the commercial account hijacking market remains quite small and niche. With prices commonly in excess of $300, it does not yet threaten to make targeted attacks a mass market threat.