Hacker-for-hire services are mostly scams or ineffective, researchers find

Of 27 hacker-for-hire services contacted for Gmail account hacking, only five attempted to launch attacks against victims

Most hacking services advertised on the internet are basically scams and ineffective in providing satisfactory services to customers.

That is according to a new study conducted by the researchers from the University of California, San Diego, in association with Google.

In the study, the researchers contacted 27 hacker-for-hire services for Gmail account hacking and found that only five of them actually launched attacks against victims.

The team asked hackers to compromise a number of honey pot Gmail accounts that they had set-up, with the cooperation of Google.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

The accounts enabled researchers to trace hackers' interactions with victims' systems. The research team also created several other features of victims' online persona, such as email addresses of friends and business web servers, in order to trace hackers' interactions with those features.

According to researchers, of the 27 hacker-for-hire services they contacted on internet, 10 never even responded to their queries.

Of the 17 that replied to inquiries, 12 never attempted to carry out an attack on the victim account. Three of those 12 services were pure scams. They took payments from customers without providing the promised service in return. Nine of 12 said they were no longer interested in hacking Gmail accounts.

The commercial account hijacking market remains quite small and niche

Finally, five hacking services launched attacks against 11 Gmail accounts and attempted to compromise victims' accounts through social engineering techniques, such as spear-phishing.

While some of them sought additional details about their targets, others simply employed re-usable email phishing templates. However, one of them attempted to install a remote access Trojan on a target's computer. When installed, this malware would have provided authentication attackers cookies and passwords from local browsers.

Researchers noticed significant differences between the price advertised online for hacking services and the final amount paid to those hackers. They usually charged between $100 and $500 for email hijacking services. Two services altered their original prices while they were carrying out the hack, changing their prices after learning that they would have to bypass two-factor authentication (2FA) during the hack.

"We surmise from our findings, including evidence about the volume of real targets, that the commercial account hijacking market remains quite small and niche," the researchers explained in their study paper.

"With prices commonly in excess of $300, it does not yet threaten to make targeted attacks a mass market threat," they concluded.

Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.

Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?