HoneySheets:WhatHappenstoLeakedGoogleSpreadsheets?

Mar8nLazarov,JeremiahOnaolapo,andGianlucaStringhiniUniversityCollegeLondon,UK9thUSENIXWorkshoponCyberSecurityExperimenta8onandTestAus8n,TXAugust8,2016

Introduc8on•  Manyusefulservicesarecloud-based– Dropbox,OneDrive,etc.

•  Valuablecontentinonlineaccounts•  CybercriminalsaWackonlineaccountsandsellcreden8als(Burszteinetal.2014;HerleyandFlorencio2010;Stone-Grossetal.2011) 2

Ques8on•  Whathappenstoonlineaccountsanddocumentsa_ercompromise?

3

Previouswork•  Maliciousac8vityinwebmailaccounts

(Burszteinetal.2014,StringhiniandThonnard2015)•  EmphasizespearphishingasprimaryaWackvector

•  Nopubliclyavailableinfrastructuretomonitorcompromisedaccounts

4

Aim•  Studyac/onsandaccesspa1ernsofcybercriminalsonleakedonlinespreadsheets

•  Wedevelopedaninfrastructuretohelpresearchersunderstandwhathappenstocompromisedclouddocuments

5

Ourinfrastructure•  Honeypotsystemcomprisinghoneyspreadsheetsandmonitoringinfrastructure

•  Wedevelopedproof-of-concepttotestourideas

6

Systemcomponents

•  Honeyspreadsheetscontainingfakeinforma8on,includinghoneylinks

•  Webservertomonitorclicksonhoneylinks•  No/fica/onstoretoreceivemessagesaboutac8vityinhoneyspreadsheets

•  IMAPclienttoretrievethosemessages7

Systemoverview

8

ScenariosWetested2scenariosusingourproof-of-concept1.  Scenario1–Hackerleakingfinancialinforma8on2.  Scenario2–Naïveusersharingspreadsheetinfo

withcolleagues

9

Quicknote•  Thesystemisflexibleandcanbeadaptedtomanyscenarios

•  Thescenariostosetupdependontheques8onsthattheresearcherintendstofindanswersto

10

Proof-of-concept

•  Created5spreadsheetswithfakepayrollinfo•  Insertedgoo.glhoneylinksinspreadsheets– 3honeylinkspointtoourwebsite– 6honeylinkspointtononexistentbankpages

•  Totrackloca8on,browserinfo,IPaddressesetc.ofvisitors

11

Spreadsheetexample

12

Honeylinksexample

13

Leakingthespreadsheets

•  WeleakedURLspoin8ngtothespreadsheetsonpastebin.com

•  Knownmodeofopera8onofcybercriminalsleakingcreden8alsanddocuments

14

15

Ethicalconsidera8ons•  Norealinforma8oninthespreadsheets•  Wedidnotleakcreden8alsoftheaccountshos8ngthespreadsheets

•  WeobtainedIRBapprovalfromourins8tu8on

16

Summaryofresults•  Scenario1(Hacker):46days–  112accesses,17modifica8ons

•  Scenario2(Naïveuser):26days–  53accesses,11modifica8ons

17

Summaryofresults•  Differencesinaccessesnotsta8s8callysignificant

•  Datasetavailableonline

18

Examplesofmodifica8ons•  Decoybankaccountnumberdeleted•  C++codesnippetinserted•  Insultinspreadsheet•  Defacementofspreadsheet–  Ourinfrastructurecouldpoten8allyaWracttrollsandcyberbullies

19

Ac8vityongoo.gllinks•  39uniqueIPsvisitedthe3honeylinkspoin8ngtoourwebserver

•  44visitstothose3honeylinks•  174clickstotalonall9honeylinks•  Accessesfrom35countries

20

Loca8onsofaccesses

21

Limita8ons•  Visitorslikelynotsophis8catedcybercriminals•  AWackerscouldcopythehoneysheetsandinteractwiththemoffline

•  GoogleAppsScripttrackinglimitedforvisitorsthatarenotloggedin

22

Futurework•  Makespreadsheetsmorebelievable•  Scaleupexperiments•  DevisetaxonomyofaWackerstarge8ngclouddocuments

•  Buildcomprehensiveinfrastructureformonitoringcompromisedwebmailaccountsandspreadsheets

23

Anotherpieceofthepuzzle•  JeremiahOnaolapo,EnricoMaricon8,GianlucaStringhini.

“WhatHappensA_erYouArePwnd:UnderstandingTheUseOfLeakedWebmailCreden8alsInTheWild.”–  TobepresentedattheACMInternetMeasurementConference2016

(IMC2016),SantaMonica,California.

•  Honeypotinfrastructurethatmonitorsac8onsandaccessestocompromisedwebmailaccounts

24

Overarchingidea•  Publiclyavailablecomprehensiveinfrastructure

•  Tohelptheresearchcommunity“see”furtherintotheundergroundecosystemofcompromisedaccountsanddocuments

•  Criminologistsarealreadyusingthesystem

25

ThanksQues8ons?

j.onaolapo@cs.ucl.ac.uk

26

ReferencesCormacHerleyandDineiFlorencio.“Nobodysellsgoldforthepriceofsilver:Dishonesty,uncertaintyandtheundergroundeconomy”.In:EconomicsofInforma9onSecurityandPrivacy.2010.BreWStone-Grossetal.“Theundergroundeconomyofspam:Abotmaster'sperspec8veofcoordina8nglarge-scalespamcampaigns”.In:USENIXWorkshoponLarge-ScaleExploitsandEmergentThreats(LEET).2011.

27

ReferencesElieBurszteinetal.“Handcra_edFraudandExtor8on:ManualAccountHijackingintheWild”.In:ACMSIGCOMMConferenceonInternetMeasurement.2014.Stringhini,Gianluca,andOlivierThonnard.“Thatain’tyou:Blockingspearphishingthroughbehavioralmodelling.”Interna9onalConferenceonDetec9onofIntrusionsandMalware,andVulnerabilityAssessment.SpringerInterna8onalPublishing,2015.

28