Hiring a black hat hacker? You probably won't get what you pay for

Four university researchers teamed up with a security and privacy specialist at Google and contacted 27 hacker-for-hire services to hack Gmail accounts. Only five of them actually hacked the bogus accounts.

Thought of hiring a hacker, Googled hackers for hire, found one and paid for their services? You were probably taken for a ride, according to recent covert research by Google and the University of California, San Diego.

Four researchers from the university teamed up with a security and privacy specialist at Google and contacted 27 hacker-for-hire services to hack Gmail accounts. Only five of them actually hacked the bogus accounts provided by the team.

Hacker who?

According to researchers, 10 never replied to their enquiries. Out of the 17 that responded, 12 did not attempt to hack, with nine out of the 12 saying they were no longer interested in hacking Gmail accounts. Three of the five who executed the attack charged significantly higher prices than their offer.

"These victims in turn were ‘honey pot’ Gmail accounts, operated in coordination with Google, and allowed us to record key interactions with the victim as well as with other fabricated aspects of their online persona that we created (eg, business web servers, email addresses of friends or partner)," said the study report.

To add credibility, the research team also set up other features of victims, such as email addresses of friends and business web servers. These were also used to trace hackers' interactions.

Modus operandi

The researchers found out that these hack-for-hire services usually relied on social engineering through targeted phishing email messages, while one service attempted to deploy a remote access trojan.

"The attackers customised their phishing lures to incorporate details of our fabricated business entities and associates, which they acquired either by scraping our victim persona’s website or by requesting the details during negotiations with our buyer persona," said the report.

Two-factor authentication in the accounts created "friction", with several hackers saying they could not hack into the account without the victim’s phone number, said the study.

"Simply adding a recovery phone number to your Google Account can block up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks that occurred during our investigation," said a Google statement on the research.

Demand rising

The report comes at a time when governments are planning to legitimise hacking services, with some openly sourcing the services of hackers. HackerOne, the US-based "hacker-powered security" company, this month announced it is in advanced steps of gaining approval for operating on the US federal networks.

The company has achieved Federal Risk and Authorisation Management Program (FedRAMP) In Process status for Tailored Low impact Software-as-a-Service (Li-SaaS), which authorises the company to work for the US federal agencies. The Canadian Security Intelligence Service (CSIS) in January opened a vacancy for hackers under the designation ‘Network Exploitation Analyst’.

The shortage for skilled hackers, which led to the rise of fraudsters, has turned into a business opportunity for some others. A startup called Synack is helping companies get around this shortage by providing "crowdsourced" security.

Founded in 2013 by former US Department of Defence security experts Jay Kaplan Mark Kuhr, the company claims a customer roster of leading global banks, federal agencies, DoD classified assets, and has secured "close to US$ 1 trillion (£0.8 trillion) in Fortune 500 revenue".

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop