Hackers for rent are a bunch of scammers, according to research published last week by Google and academics from the University of California, San Diego.
The researchers were specifically interested in a segment of black-market services known as & # 39; hackers for hire & # 39 ;: the scammers you send in if you don't have the hacking skills to do the work yourself and the moral your ear whispers that this is not fun or legal to do.
Such services offer targeted attacks that remain a powerful threat, the researchers said, due to the fact that they are tailor-made. Think of spear-fishing or whaling attacks that are so convincing because they get all the details right, such as forging company invoices or setting up copycat login sites that steal account credentials.
Things like that take effort. Fortunately, most hired hackers are unable to cope with the task, to put it mildly. Many were outright scams – not so surprising – and some would not even be able to cope with attacks on Gmail. For those services that sometimes took on the challenge of hacking Gmail accounts, costs stood out over the course of two years, from $ 123 to $ 384 – with a peak of $ 461 in February 2018.
Yahoo hack prices have followed the same as Google, while prices for Facebook and Instagram hacking have actually fallen to the current average of $ 307.
The researchers assume that the price differences for hacking the various e-mail providers and the price change are probably caused by what they call both operational and economic factors: namely that Google and Yahoo have become better at protecting e-mail accounts, while prices have increased their market for a specific service:
Prices will naturally increase as the market for a specific service shrinks (reducing back-end infrastructure handling costs due to platform evasion avoidance) and also if specific services introduce more or more effective protection mechanisms to be circumvented (increase in transaction costs for each hacking attempt).
In general, hackers for rent are incapable … or fraudsters
It is certain that the weasels that someone wants to pay to take them over secure the objections of the people. Namely, the hijacking ecosystem is "far from mature", the researchers concluded.
They tested it by setting up fake online buyer personas with which they could access 27 hacking-for-hire services. The researchers charged these services with compromising specific victim accounts.
Those so-called & # 39; victims & # 39; were actually Honeypot Gmail accounts that were managed in collaboration with Google.
Only five of the services they contacted have kept their promise to attack the alleged victims. The rest were scammers, keen on attacking Gmail accounts or had poor customer service, they said:
Only five of the services that we contacted have kept their promise to attack our victim characters. The others refused and said they could not cover Gmail, or were simply scams. We often experienced poor customer service, slow responses and inaccurate price advertisements.
The other good news: U2F (Universal 2nd Factor) security keys work, the researchers said:
Furthermore, the current 2FA bridging techniques can be limited by the approval of U2F security keys.
… we would be remiss if we didn't mention that Google got U2F egg on his face last week when he had to recall his Titan Bluetooth U2F keys after he found a security error.
Google has argued that Titan keys are even more secure than just using a password for access. An attacker must be within a radius of approximately 10 meters and must start his attack, just as you press the button on your Titan key … and must know your username and password in advance.
So we give the researchers that point.
In short, the researchers do not think that the hackers-for-rental market is currently a major threat:
We suspect from our findings, including evidence about the number of real targets, that the market for the hostage of commercial accounts remains relatively small and niche. With prices that usually exceed $ 300, it does not yet threaten to turn targeted attacks into a mass market threat.
. (tagsToTranslate) 2-factor authentication (t) google (t) phishing (t) security threats (t) 2fa (t) e-mail hacking (t) e-mail hijack (t) gmail (t) google (t) hack for rental (t) hackers for rental (t) hijacked accounts (t) honey pots (t) phishing (t) ratt (t) research (t) social engineering (t) spear phishing (t) spoofed websites (t) yahoo