Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild

Borbala Benko
Daniel Margolis
Andy Archer
Allan Aquino
Andreas Pitsillidis
Stefan Savage
IMC '14 Proceedings of the 2014 Conference on Internet Measurement Conference, ACM, 1600 Amphitheatre Parkway, pp. 347-358

Abstract

Online accounts are inherently valuable resources---both for the data they contain and the reputation they accrue over time. Unsurprisingly, this value drives criminals to steal, or hijack, such accounts. In this paper we focus on manual account hijacking---account hijacking performed manually by humans instead of botnets. We describe the details of the hijacking workflow: the attack vectors, the exploitation phase, and post-hijacking remediation. Finally we share, as a large online company, which defense strategies we found effective to curb manual hijacking.