Handcrafted fraud and extortion: manual account hijacking in the wild

Elie Bursztein; Borbala Benko; Daniel Margolis; Tadek Pietraszek; Andy Archer; Allan Aquino; Andreas Pitsillidis; Stefan Savage

Available Media
Available Media	Publication (Pdf) Slides (pdf)
Conference	Internet Measurement Conference
Authors	Elie Bursztein , Borbala Benko , Daniel Margolis , Tadek Pietraszek , Andy Archer , Allan Aquino , Andreas Pitsillidis , Stefan Savage
Citation	Bibtex Citation @inproceedings{ BURSZTEIN2014HANDCRAFTED,title = {Handcrafted fraud and extortion: manual account hijacking in the wild},author = {"Elie, Bursztein" and "Borbala, Benko" and "Daniel, Margolis" and "Tadek, Pietraszek" and "Andy, Archer" and "Allan, Aquino" and "Andreas, Pitsillidis" and "Stefan, Savage"},booktitle = {Internet Measurement Conference},year = {2014},organization = {AMC}}

Online accounts are inherently valuable resources both for the data they contain and the reputation they accrue over time. Unsurprisingly, this value drives criminals to steal, or hijack, such accounts. In this paper we focus on manual account hijacking account hijacking performed manually by humans instead of botnets. We describe the details of the hijacking workflow: the attack vectors, the exploitation phase, and post-hijacking remediation. Finally we share which defense strategies we found effective at Google to curb manual hijacking.

Google Slides