Upload File

Download - Honey Sheets: What Happens to Leaked Google Spreadsheets?

Transcript
Page 1: Honey Sheets: What Happens to Leaked Google Spreadsheets?

HoneySheets:WhatHappenstoLeakedGoogleSpreadsheets?

Mar8nLazarov,JeremiahOnaolapo,andGianlucaStringhiniUniversityCollegeLondon,UK9thUSENIXWorkshoponCyberSecurityExperimenta8onandTestAus8n,TXAugust8,2016

Page 2: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Introduc8on•  Manyusefulservicesarecloud-based– Dropbox,OneDrive,etc.

•  Valuablecontentinonlineaccounts•  CybercriminalsaWackonlineaccountsandsellcreden8als(Burszteinetal.2014;HerleyandFlorencio2010;Stone-Grossetal.2011) 2

Page 3: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Ques8on•  Whathappenstoonlineaccountsanddocumentsa_ercompromise?

3

Page 4: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Previouswork•  Maliciousac8vityinwebmailaccounts

(Burszteinetal.2014,StringhiniandThonnard2015)•  EmphasizespearphishingasprimaryaWackvector

•  Nopubliclyavailableinfrastructuretomonitorcompromisedaccounts

4

Page 5: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Aim•  Studyac/onsandaccesspa1ernsofcybercriminalsonleakedonlinespreadsheets

•  Wedevelopedaninfrastructuretohelpresearchersunderstandwhathappenstocompromisedclouddocuments

5

Page 6: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Ourinfrastructure•  Honeypotsystemcomprisinghoneyspreadsheetsandmonitoringinfrastructure

•  Wedevelopedproof-of-concepttotestourideas

6

Page 7: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Systemcomponents

•  Honeyspreadsheetscontainingfakeinforma8on,includinghoneylinks

•  Webservertomonitorclicksonhoneylinks•  No/fica/onstoretoreceivemessagesaboutac8vityinhoneyspreadsheets

•  IMAPclienttoretrievethosemessages7

Page 8: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Systemoverview

8

Page 9: Honey Sheets: What Happens to Leaked Google Spreadsheets?

ScenariosWetested2scenariosusingourproof-of-concept1.  Scenario1–Hackerleakingfinancialinforma8on2.  Scenario2–Naïveusersharingspreadsheetinfo

withcolleagues

9

Page 10: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Quicknote•  Thesystemisflexibleandcanbeadaptedtomanyscenarios

•  Thescenariostosetupdependontheques8onsthattheresearcherintendstofindanswersto

10

Page 11: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Proof-of-concept

•  Created5spreadsheetswithfakepayrollinfo•  Insertedgoo.glhoneylinksinspreadsheets– 3honeylinkspointtoourwebsite– 6honeylinkspointtononexistentbankpages

•  Totrackloca8on,browserinfo,IPaddressesetc.ofvisitors

11

Page 12: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Spreadsheetexample

12

Page 13: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Honeylinksexample

13

Page 14: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Leakingthespreadsheets

•  WeleakedURLspoin8ngtothespreadsheetsonpastebin.com

•  Knownmodeofopera8onofcybercriminalsleakingcreden8alsanddocuments

14

Page 15: Honey Sheets: What Happens to Leaked Google Spreadsheets?

15

Page 16: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Ethicalconsidera8ons•  Norealinforma8oninthespreadsheets•  Wedidnotleakcreden8alsoftheaccountshos8ngthespreadsheets

•  WeobtainedIRBapprovalfromourins8tu8on

16

Page 17: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Summaryofresults•  Scenario1(Hacker):46days–  112accesses,17modifica8ons

•  Scenario2(Naïveuser):26days–  53accesses,11modifica8ons

17

Page 18: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Summaryofresults•  Differencesinaccessesnotsta8s8callysignificant

•  Datasetavailableonline

18

Page 19: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Examplesofmodifica8ons•  Decoybankaccountnumberdeleted•  C++codesnippetinserted•  Insultinspreadsheet•  Defacementofspreadsheet–  Ourinfrastructurecouldpoten8allyaWracttrollsandcyberbullies

19

Page 20: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Ac8vityongoo.gllinks•  39uniqueIPsvisitedthe3honeylinkspoin8ngtoourwebserver

•  44visitstothose3honeylinks•  174clickstotalonall9honeylinks•  Accessesfrom35countries

20

Page 21: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Loca8onsofaccesses

21

Page 22: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Limita8ons•  Visitorslikelynotsophis8catedcybercriminals•  AWackerscouldcopythehoneysheetsandinteractwiththemoffline

•  GoogleAppsScripttrackinglimitedforvisitorsthatarenotloggedin

22

Page 23: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Futurework•  Makespreadsheetsmorebelievable•  Scaleupexperiments•  DevisetaxonomyofaWackerstarge8ngclouddocuments

•  Buildcomprehensiveinfrastructureformonitoringcompromisedwebmailaccountsandspreadsheets

23

Page 24: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Anotherpieceofthepuzzle•  JeremiahOnaolapo,EnricoMaricon8,GianlucaStringhini.

“WhatHappensA_erYouArePwnd:UnderstandingTheUseOfLeakedWebmailCreden8alsInTheWild.”–  TobepresentedattheACMInternetMeasurementConference2016

(IMC2016),SantaMonica,California.

•  Honeypotinfrastructurethatmonitorsac8onsandaccessestocompromisedwebmailaccounts

24

Page 25: Honey Sheets: What Happens to Leaked Google Spreadsheets?

Overarchingidea•  Publiclyavailablecomprehensiveinfrastructure

•  Tohelptheresearchcommunity“see”furtherintotheundergroundecosystemofcompromisedaccountsanddocuments

•  Criminologistsarealreadyusingthesystem

25

Page 26: Honey Sheets: What Happens to Leaked Google Spreadsheets?

ThanksQues8ons?

[email protected]

26

Page 27: Honey Sheets: What Happens to Leaked Google Spreadsheets?

ReferencesCormacHerleyandDineiFlorencio.“Nobodysellsgoldforthepriceofsilver:Dishonesty,uncertaintyandtheundergroundeconomy”.In:EconomicsofInforma9onSecurityandPrivacy.2010.BreWStone-Grossetal.“Theundergroundeconomyofspam:Abotmaster'sperspec8veofcoordina8nglarge-scalespamcampaigns”.In:USENIXWorkshoponLarge-ScaleExploitsandEmergentThreats(LEET).2011.

27

Page 28: Honey Sheets: What Happens to Leaked Google Spreadsheets?

ReferencesElieBurszteinetal.“Handcra_edFraudandExtor8on:ManualAccountHijackingintheWild”.In:ACMSIGCOMMConferenceonInternetMeasurement.2014.Stringhini,Gianluca,andOlivierThonnard.“Thatain’tyou:Blockingspearphishingthroughbehavioralmodelling.”Interna9onalConferenceonDetec9onofIntrusionsandMalware,andVulnerabilityAssessment.SpringerInterna8onalPublishing,2015.

28


Top Related

Analysis of Google's Leaked WDYL.com Campaign
Analysis of Google's Leaked WDYL.com Campaign
Leaked TSR Subramanian Report
Leaked TSR Subramanian Report
Introduction to Spreadsheets · Spreadsheets 1 Spreadsheets –Basic and Formulas Understand the basics of spreadsheets SS1 1.01 Spreadsheet Uses and Terms. What are Spreadsheets?
Introduction to Spreadsheets · Spreadsheets 1 Spreadsheets –Basic and Formulas Understand the basics of spreadsheets SS1 1.01 Spreadsheet Uses and Terms. What are Spreadsheets?
Dark knight pictures have been leaked
Dark knight pictures have been leaked
The Leaked Chapter
The Leaked Chapter
Leaked Network Security Information Analysis
Leaked Network Security Information Analysis
Leaked StudentsFirst Ohio Briefing Document
Leaked StudentsFirst Ohio Briefing Document
Leaked ISIL files
Leaked ISIL files