+ All Categories
Home > Documents > Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca...

Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca...

Date post: 06-Mar-2021
Category:

Documents
Upload: others
View: 1 times
Download: 0 times
Download Report this document
Share this document with a friend
28
Honey Sheets: What Happens to Leaked Google Spreadsheets? Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimenta8on and Test Aus8n, TX August 8, 2016
Transcript
Page 1: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

HoneySheets:WhatHappenstoLeakedGoogleSpreadsheets?

Mar8nLazarov,JeremiahOnaolapo,andGianlucaStringhiniUniversityCollegeLondon,UK9thUSENIXWorkshoponCyberSecurityExperimenta8onandTestAus8n,TXAugust8,2016

Page 2: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Introduc8on•  Manyusefulservicesarecloud-based– Dropbox,OneDrive,etc.

•  Valuablecontentinonlineaccounts•  CybercriminalsaWackonlineaccountsandsellcreden8als(Burszteinetal.2014;HerleyandFlorencio2010;Stone-Grossetal.2011) 2

Page 3: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Ques8on•  Whathappenstoonlineaccountsanddocumentsa_ercompromise?

3

Page 4: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Previouswork•  Maliciousac8vityinwebmailaccounts

(Burszteinetal.2014,StringhiniandThonnard2015)•  EmphasizespearphishingasprimaryaWackvector

•  Nopubliclyavailableinfrastructuretomonitorcompromisedaccounts

4

Page 5: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Aim•  Studyac/onsandaccesspa1ernsofcybercriminalsonleakedonlinespreadsheets

•  Wedevelopedaninfrastructuretohelpresearchersunderstandwhathappenstocompromisedclouddocuments

5

Page 6: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Ourinfrastructure•  Honeypotsystemcomprisinghoneyspreadsheetsandmonitoringinfrastructure

•  Wedevelopedproof-of-concepttotestourideas

6

Page 7: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Systemcomponents

•  Honeyspreadsheetscontainingfakeinforma8on,includinghoneylinks

•  Webservertomonitorclicksonhoneylinks•  No/fica/onstoretoreceivemessagesaboutac8vityinhoneyspreadsheets

•  IMAPclienttoretrievethosemessages7

Page 8: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Systemoverview

8

Page 9: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

ScenariosWetested2scenariosusingourproof-of-concept1.  Scenario1–Hackerleakingfinancialinforma8on2.  Scenario2–Naïveusersharingspreadsheetinfo

withcolleagues

9

Page 10: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Quicknote•  Thesystemisflexibleandcanbeadaptedtomanyscenarios

•  Thescenariostosetupdependontheques8onsthattheresearcherintendstofindanswersto

10

Page 11: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Proof-of-concept

•  Created5spreadsheetswithfakepayrollinfo•  Insertedgoo.glhoneylinksinspreadsheets– 3honeylinkspointtoourwebsite– 6honeylinkspointtononexistentbankpages

•  Totrackloca8on,browserinfo,IPaddressesetc.ofvisitors

11

Page 12: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Spreadsheetexample

12

Page 13: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Honeylinksexample

13

Page 14: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Leakingthespreadsheets

•  WeleakedURLspoin8ngtothespreadsheetsonpastebin.com

•  Knownmodeofopera8onofcybercriminalsleakingcreden8alsanddocuments

14

Page 15: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

15

Page 16: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Ethicalconsidera8ons•  Norealinforma8oninthespreadsheets•  Wedidnotleakcreden8alsoftheaccountshos8ngthespreadsheets

•  WeobtainedIRBapprovalfromourins8tu8on

16

Page 17: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Summaryofresults•  Scenario1(Hacker):46days–  112accesses,17modifica8ons

•  Scenario2(Naïveuser):26days–  53accesses,11modifica8ons

17

Page 18: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Summaryofresults•  Differencesinaccessesnotsta8s8callysignificant

•  Datasetavailableonline

18

Page 19: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Examplesofmodifica8ons•  Decoybankaccountnumberdeleted•  C++codesnippetinserted•  Insultinspreadsheet•  Defacementofspreadsheet–  Ourinfrastructurecouldpoten8allyaWracttrollsandcyberbullies

19

Page 20: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Ac8vityongoo.gllinks•  39uniqueIPsvisitedthe3honeylinkspoin8ngtoourwebserver

•  44visitstothose3honeylinks•  174clickstotalonall9honeylinks•  Accessesfrom35countries

20

Page 21: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Loca8onsofaccesses

21

Page 22: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Limita8ons•  Visitorslikelynotsophis8catedcybercriminals•  AWackerscouldcopythehoneysheetsandinteractwiththemoffline

•  GoogleAppsScripttrackinglimitedforvisitorsthatarenotloggedin

22

Page 23: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Futurework•  Makespreadsheetsmorebelievable•  Scaleupexperiments•  DevisetaxonomyofaWackerstarge8ngclouddocuments

•  Buildcomprehensiveinfrastructureformonitoringcompromisedwebmailaccountsandspreadsheets

23

Page 24: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Anotherpieceofthepuzzle•  JeremiahOnaolapo,EnricoMaricon8,GianlucaStringhini.

“WhatHappensA_erYouArePwnd:UnderstandingTheUseOfLeakedWebmailCreden8alsInTheWild.”–  TobepresentedattheACMInternetMeasurementConference2016

(IMC2016),SantaMonica,California.

•  Honeypotinfrastructurethatmonitorsac8onsandaccessestocompromisedwebmailaccounts

24

Page 25: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

Overarchingidea•  Publiclyavailablecomprehensiveinfrastructure

•  Tohelptheresearchcommunity“see”furtherintotheundergroundecosystemofcompromisedaccountsanddocuments

•  Criminologistsarealreadyusingthesystem

25

Page 26: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

ThanksQues8ons?

[email protected]

26

Page 27: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

ReferencesCormacHerleyandDineiFlorencio.“Nobodysellsgoldforthepriceofsilver:Dishonesty,uncertaintyandtheundergroundeconomy”.In:EconomicsofInforma9onSecurityandPrivacy.2010.BreWStone-Grossetal.“Theundergroundeconomyofspam:Abotmaster'sperspec8veofcoordina8nglarge-scalespamcampaigns”.In:USENIXWorkshoponLarge-ScaleExploitsandEmergentThreats(LEET).2011.

27

Page 28: Honey Sheets: What Happens to Leaked Google ...Mar8n Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini University College London, UK 9th USENIX Workshop on Cyber Security Experimentaon

ReferencesElieBurszteinetal.“Handcra_edFraudandExtor8on:ManualAccountHijackingintheWild”.In:ACMSIGCOMMConferenceonInternetMeasurement.2014.Stringhini,Gianluca,andOlivierThonnard.“Thatain’tyou:Blockingspearphishingthroughbehavioralmodelling.”Interna9onalConferenceonDetec9onofIntrusionsandMalware,andVulnerabilityAssessment.SpringerInterna8onalPublishing,2015.

28


Recommended
Detecting Spammers on Social Networks Gianluca Stringhini, Christopher Kruegel, Giovanni Vigna (University of California) Annual Computer Security Applications.

Detecting Spammers on Social Networks Gianluca Stringhini, Christopher Kruegel, Giovanni Vigna (University of California) Annual Computer Security Applications.

Documents

Sustainable financing of yes o 091215-onaolapo sulaiman bayonle

Sustainable financing of yes o 091215-onaolapo sulaiman bayonle

Presentations & Public Speaking

Poultry markets: on the underground economy of twitter followers · 2018. 11. 20. · Poultry Markets: On the Underground Economy of Twitter Followers Gianluca Stringhini, Manuel

Poultry markets: on the underground economy of twitter followers · 2018. 11. 20. · Poultry Markets: On the Underground Economy of Twitter Followers Gianluca Stringhini, Manuel

Documents

Experimental,Study,of,Fuzzy,Hashing,in, Malware,Clustering ... · • We#idenNfy#two#design#flaws#within#some#of#exisNng#fuzzy# hashing#algorithms.# • We#design#and#implementageneric#experimentaon#

Experimental,Study,of,Fuzzy,Hashing,in, Malware,Clustering ... · • We#idenNfy#two#design#flaws#within#some#of#exisNng#fuzzy# hashing#algorithms.# • We#design#and#implementageneric#experimentaon#

Documents

Big Data - Innovations for Poverty Action · 2017-01-05 · Big data system 3. Adap9ve experimentaon to solve development problems break from the past TODAY • Speed cameras •

Big Data - Innovations for Poverty Action · 2017-01-05 · Big data system 3. Adap9ve experimentaon to solve development problems break from the past TODAY • Speed cameras •

Documents

DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages

DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages

Documents

ANTIBIOTIC SUSCEPTIBILITY PROFILE OF METHICILLIN RESISTANT Staphylococci aureus IN POULTRY FARM, IN ZARIA, NIGERIA. BY Onaolapo J. A., Igwe J. C and Bala.

ANTIBIOTIC SUSCEPTIBILITY PROFILE OF METHICILLIN RESISTANT Staphylococci aureus IN POULTRY FARM, IN ZARIA, NIGERIA. BY Onaolapo J. A., Igwe J. C and Bala.

Documents

Rachel Feldstein Omolara Onaolapo Justin Rader Maritza Vazquez.

Rachel Feldstein Omolara Onaolapo Justin Rader Maritza Vazquez.

Documents

Onaolapo Olayinka

Onaolapo Olayinka

Documents

Shady Paths: Leveraging Surfing Crowds to Detect …chris/research/doc/ccs13_shadypaths.pdf · Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages Gianluca Stringhini,

Shady Paths: Leveraging Surfing Crowds to Detect …chris/research/doc/ccs13_shadypaths.pdf · Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages Gianluca Stringhini,

Documents

XLS file · Web viewdina marcia de mattos dinael antonio angnes dinah beatriz souza lemos dinah matias ferreira ... elton stefanio balsamo bastolla elton stringhini elton tonon elton

XLS file · Web viewdina marcia de mattos dinael antonio angnes dinah beatriz souza lemos dinah matias ferreira ... elton stefanio balsamo bastolla elton stringhini elton tonon elton

Documents

SASS Talk 03/11/2009€¦ · Galileo Galilei in the 17th century substutes reasoning and experimentaon founded on hypothesis to simple observaon. In his study of falling objects,

SASS Talk 03/11/2009€¦ · Galileo Galilei in the 17th century substutes reasoning and experimentaon founded on hypothesis to simple observaon. In his study of falling objects,

Documents

Flexplane:)An)Experimentaon)Plaorm) for)Resource ...

Flexplane:)An)Experimentaon)Plaorm) for)Resource ...

Documents

Organic vs synthetic music By Michael Onaolapo

Organic vs synthetic music By Michael Onaolapo

Education

ANESTHESIANEWS - cas.ca€¦ · A Usability and Feasibility Evaluation of Panda, ... Papu Nath ManCho Ng Erika Nguyen Fani Nhuch Mofolashade Onaolapo Mélissa Ouellette Annie Pang

ANESTHESIANEWS - cas.ca€¦ · A Usability and Feasibility Evaluation of Panda, ... Papu Nath ManCho Ng Erika Nguyen Fani Nhuch Mofolashade Onaolapo Mélissa Ouellette Annie Pang

Documents

Authors: Gianluca Stringhini Christopher Kruegel Giovanni Vigna University of California, Santa Barbara

Authors: Gianluca Stringhini Christopher Kruegel Giovanni Vigna University of California, Santa Barbara

Documents

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Documents

Gianluca Stringhini, Christopher Kruegel, Giovanni Vigna ...siy117527/sil765/readings/Detecting spammer... · applications, many other forms are ... a malicious message (98) ... crawled

Gianluca Stringhini, Christopher Kruegel, Giovanni Vigna ...siy117527/sil765/readings/Detecting spammer... · applications, many other forms are ... a malicious message (98) ... crawled

Documents