Master of Sheets: A Tale of Compromised Cloud Documents
0 likes157 views
The document discusses the research on compromised cloud documents, specifically focusing on the behavior of cybercriminals regarding stolen financial information, both traditional bank accounts and cryptocurrency. It describes the setup of a honeypot system involving fake payroll sheets and records, which attracted a total of 235 accesses and allowed for analysis of document interactions. The findings highlight different modification activities and URL clicks based on the content type and suggest avenues for improving the protection of cloud documents in light of these observed behaviors.
Master of Sheets: A Tale of Compromised Cloud Documents
- 1. MASTER OF SHEETS: A Tale of Compromised Cloud Documents Jeremiah Onaolapo | Northeastern University Martin Lazarov | University College London Gianluca Stringhini | Boston University IEEE EuroS&P WACCO. June 20, 2019. Stockholm, Sweden.
- 2. Heists of epic proportions 2 *insert next data breach here* *insert yet another data breach here* *ugh! stolen cryptocurrency stash*
- 3. Cloud docs, sitting ducks? • Ubiquitous adoption of cloud storage for docs • As of 2014, 21% of EU citizens stored docs in cloud* • Some docs contain sensitive info, e.g., financial • Docs become attractive targets for cybercriminals 3 *https://ec.europa.eu/eurostat/statistics-explained/index.php/Internet_and_cloud_services_-_statistics_on_the_use_by_individuals
- 4. Research focus • Hard to study attacker behaviour in docs • Unless one has control of large online service, say Google • Our scenario: compromised financial docs • Traditional bank accounts + cryptocurrency wallets in cloud docs 4
- 5. Research focus • What happens to docs after compromise? • What do criminals do with stolen docs? • What type of financial info do they find interesting; bank versus cryptocurrency? • Which tools can help us answer these questions? 5
- 6. Cloud docs honeypot 6 Based on docs honeypot system in Honey Sheets: What Happens To Leaked Google Spreadsheets? Martin Lazarov, Jeremiah Onaolapo, Gianluca Stringhini. USENIX CSET 2016, Austin, USA.
- 7. Our setup • 100 fake payroll sheets • 1000 fake records, i.e., fake personal details • Fake bank accounts (based on 5 UK banks) • Fake cryptocurrency wallets 7
- 9. Leaking long links • To lure visitors to sheets, we leaked long links via paste sites: • Anyone with long link can edit sheet, per our config. • Pastebin (Surface Web) • Paste.org.ru (Surface Web) • Stronghold (Dark Web) 9
- 10. Ethics • No info about real humans in the docs • No bank accounts or cryptocurrency wallets were harmed during the making of this paper • We remained in control of Google accounts that hosted the docs; hence, no spamming • We obtained IRB approval from our university 10
- 11. Findings • Collected data for 1 month • We observed initial reluctance to visit sheets • Maybe leaked links appeared suspicious? 11 0 5 10 15 20 25 30 First access: Time elapsed since first leak (hours) 0.0 0.2 0.4 0.6 0.8 1.0 CDF
- 12. Findings: accesses • 235 accesses (file open events) to 98 sheets • 48 bank sheets + 50 Bitcoin sheets = 98 sheets • 2 sheets were not opened 12 0 5 10 15 20 25 30 35 Time between leak and access (in days) 0 20 40 60 80 100 SheetID Bank Bitcoin
- 13. Findings: modifications • 38 modifications in 7 sheets • No bank sheet was modified • Only Bitcoin sheets were modified • Expanded columns containing fake Bitcoin addresses to get a better view 13
- 14. Findings: edits • A Bitcoin address was replaced with another • Possibly a yet-to-be-used Bitcoin address with fraudulent intent • Or fake Bitcoin address made up by visitor • Blockchain.info lookup yielded no result • (Accidental?) cut-and-paste operation of original data in range of cells • Bitcoin addresses replaced with string: • qzpweklwh85u0h2x44ffv4tsfhxww96v8c7kylnwyu • Yet to figure out what it means 14
- 15. Findings: clicks on honey URLs • 219 clicks on honey URLs, from 30 countries • 135 bank clicks + 84 Bitcoin clicks = 219 clicks • Many clicks from Europe • But…TOR usage and (VPNs, proxies, potentially) means that we can’t say for sure that the locations are true 15
- 16. Findings: clicks on honey URLs • More bank URL clicks than Bitcoin URL clicks • Contrary to our expectations 16 0 5 10 15 20 Link click counts 0.0 0.2 0.4 0.6 0.8 1.0 CDF Bank Bitcoin
- 17. Findings: IP addresses and browsers • 34% of IP addresses that clicked on payment URLs: TOR • Covered their tracks • Various browsers were observed during visits • Firefox was popular among visitors (more than 80% share) 17 Bank Bitcoin 0.0 0.2 0.4 0.6 0.8 1.0 Fractionofclicks Firefox Chrome Opera Edge Internet Explorer Safari Other
- 18. Recap + potential application • Bank docs versus Bitcoin docs: • Document modification activity differs per content of doc • URL clicking behaviour differs too • This knowledge can possibly be used to develop new ways to protect cloud docs • E.g., statistical models of benign versus malicious behaviour per content type • Defacement could perhaps signal anomalous behaviour? 18
- 19. Limitations • Limited visibility since visitors did not have to log in • No auth means no granular records of accesses • Hard to update scripts in our honeypot system once deployed • Visitors can simply copy sheet contents and use them offline • Our monitor system works best when visitors stay in the docs 19
- 20. Future work • Continue exploring more cloud docs • Make honey docs more believable and hide a few real credentials in the midst of fake credentials • Study the impact of demographic attributes of online accounts and docs on the behaviour of criminals that steal them 20
- 21. Thanks • Questions? • Email jonaolapo@neu.ccs.edu • Twitter @jerryola • Papers https://jonaolapo.github.io/publications.html 21