honey sheets: what happens to leaked google spreadsheets?
TRANSCRIPT
HoneySheets:WhatHappenstoLeakedGoogleSpreadsheets?
Mar8nLazarov,JeremiahOnaolapo,andGianlucaStringhiniUniversityCollegeLondon,UK9thUSENIXWorkshoponCyberSecurityExperimenta8onandTestAus8n,TXAugust8,2016
Introduc8on• Manyusefulservicesarecloud-based– Dropbox,OneDrive,etc.
• Valuablecontentinonlineaccounts• CybercriminalsaWackonlineaccountsandsellcreden8als(Burszteinetal.2014;HerleyandFlorencio2010;Stone-Grossetal.2011) 2
Ques8on• Whathappenstoonlineaccountsanddocumentsa_ercompromise?
3
Previouswork• Maliciousac8vityinwebmailaccounts
(Burszteinetal.2014,StringhiniandThonnard2015)• EmphasizespearphishingasprimaryaWackvector
• Nopubliclyavailableinfrastructuretomonitorcompromisedaccounts
4
Aim• Studyac/onsandaccesspa1ernsofcybercriminalsonleakedonlinespreadsheets
• Wedevelopedaninfrastructuretohelpresearchersunderstandwhathappenstocompromisedclouddocuments
5
Ourinfrastructure• Honeypotsystemcomprisinghoneyspreadsheetsandmonitoringinfrastructure
• Wedevelopedproof-of-concepttotestourideas
6
Systemcomponents
• Honeyspreadsheetscontainingfakeinforma8on,includinghoneylinks
• Webservertomonitorclicksonhoneylinks• No/fica/onstoretoreceivemessagesaboutac8vityinhoneyspreadsheets
• IMAPclienttoretrievethosemessages7
Systemoverview
8
ScenariosWetested2scenariosusingourproof-of-concept1. Scenario1–Hackerleakingfinancialinforma8on2. Scenario2–Naïveusersharingspreadsheetinfo
withcolleagues
9
Quicknote• Thesystemisflexibleandcanbeadaptedtomanyscenarios
• Thescenariostosetupdependontheques8onsthattheresearcherintendstofindanswersto
10
Proof-of-concept
• Created5spreadsheetswithfakepayrollinfo• Insertedgoo.glhoneylinksinspreadsheets– 3honeylinkspointtoourwebsite– 6honeylinkspointtononexistentbankpages
• Totrackloca8on,browserinfo,IPaddressesetc.ofvisitors
11
Spreadsheetexample
12
Honeylinksexample
13
Leakingthespreadsheets
• WeleakedURLspoin8ngtothespreadsheetsonpastebin.com
• Knownmodeofopera8onofcybercriminalsleakingcreden8alsanddocuments
14
15
Ethicalconsidera8ons• Norealinforma8oninthespreadsheets• Wedidnotleakcreden8alsoftheaccountshos8ngthespreadsheets
• WeobtainedIRBapprovalfromourins8tu8on
16
Summaryofresults• Scenario1(Hacker):46days– 112accesses,17modifica8ons
• Scenario2(Naïveuser):26days– 53accesses,11modifica8ons
17
Summaryofresults• Differencesinaccessesnotsta8s8callysignificant
• Datasetavailableonline
18
Examplesofmodifica8ons• Decoybankaccountnumberdeleted• C++codesnippetinserted• Insultinspreadsheet• Defacementofspreadsheet– Ourinfrastructurecouldpoten8allyaWracttrollsandcyberbullies
19
Ac8vityongoo.gllinks• 39uniqueIPsvisitedthe3honeylinkspoin8ngtoourwebserver
• 44visitstothose3honeylinks• 174clickstotalonall9honeylinks• Accessesfrom35countries
20
Loca8onsofaccesses
21
Limita8ons• Visitorslikelynotsophis8catedcybercriminals• AWackerscouldcopythehoneysheetsandinteractwiththemoffline
• GoogleAppsScripttrackinglimitedforvisitorsthatarenotloggedin
22
Futurework• Makespreadsheetsmorebelievable• Scaleupexperiments• DevisetaxonomyofaWackerstarge8ngclouddocuments
• Buildcomprehensiveinfrastructureformonitoringcompromisedwebmailaccountsandspreadsheets
23
Anotherpieceofthepuzzle• JeremiahOnaolapo,EnricoMaricon8,GianlucaStringhini.
“WhatHappensA_erYouArePwnd:UnderstandingTheUseOfLeakedWebmailCreden8alsInTheWild.”– TobepresentedattheACMInternetMeasurementConference2016
(IMC2016),SantaMonica,California.
• Honeypotinfrastructurethatmonitorsac8onsandaccessestocompromisedwebmailaccounts
24
Overarchingidea• Publiclyavailablecomprehensiveinfrastructure
• Tohelptheresearchcommunity“see”furtherintotheundergroundecosystemofcompromisedaccountsanddocuments
• Criminologistsarealreadyusingthesystem
25
ReferencesCormacHerleyandDineiFlorencio.“Nobodysellsgoldforthepriceofsilver:Dishonesty,uncertaintyandtheundergroundeconomy”.In:EconomicsofInforma9onSecurityandPrivacy.2010.BreWStone-Grossetal.“Theundergroundeconomyofspam:Abotmaster'sperspec8veofcoordina8nglarge-scalespamcampaigns”.In:USENIXWorkshoponLarge-ScaleExploitsandEmergentThreats(LEET).2011.
27
ReferencesElieBurszteinetal.“Handcra_edFraudandExtor8on:ManualAccountHijackingintheWild”.In:ACMSIGCOMMConferenceonInternetMeasurement.2014.Stringhini,Gianluca,andOlivierThonnard.“Thatain’tyou:Blockingspearphishingthroughbehavioralmodelling.”Interna9onalConferenceonDetec9onofIntrusionsandMalware,andVulnerabilityAssessment.SpringerInterna8onalPublishing,2015.
28