SlideShare a Scribd company logo

Master of Sheets: A Tale of Compromised Cloud Documents

Jeremiah Onaolapo
Jeremiah Onaolapo

Slides presented at IEEE EuroS&P WACCO (workshop) on June 20, 2019. Stockholm, Sweden. The full paper is available at https://jonaolapo.github.io/papers/wacco19sheetshoney.pdf

Science
1 of 21
Download to read offline
MASTER OF SHEETS: A Tale of Compromised Cloud Documents Jeremiah Onaolapo | Northeastern University Martin Lazarov | University College London Gianluca Stringhini | Boston University IEEE EuroS&P WACCO. June 20, 2019. Stockholm, Sweden.
Heists of epic proportions 2 *insert next data breach here* *insert yet another data breach here* *ugh! stolen cryptocurrency stash*
Cloud docs, sitting ducks? •  Ubiquitous adoption of cloud storage for docs •  As of 2014, 21% of EU citizens stored docs in cloud* •  Some docs contain sensitive info, e.g., financial •  Docs become attractive targets for cybercriminals 3 *https://ec.europa.eu/eurostat/statistics-explained/index.php/Internet_and_cloud_services_-_statistics_on_the_use_by_individuals
Research focus •  Hard to study attacker behaviour in docs •  Unless one has control of large online service, say Google •  Our scenario: compromised financial docs •  Traditional bank accounts + cryptocurrency wallets in cloud docs 4
Research focus •  What happens to docs after compromise? •  What do criminals do with stolen docs? •  What type of financial info do they find interesting; bank versus cryptocurrency? •  Which tools can help us answer these questions? 5
Cloud docs honeypot 6 Based on docs honeypot system in Honey Sheets: What Happens To Leaked Google Spreadsheets? Martin Lazarov, Jeremiah Onaolapo, Gianluca Stringhini. USENIX CSET 2016, Austin, USA.
Our setup •  100 fake payroll sheets •  1000 fake records, i.e., fake personal details •  Fake bank accounts (based on 5 UK banks) •  Fake cryptocurrency wallets 7
8 Bank Bitcoin
Leaking long links •  To lure visitors to sheets, we leaked long links via paste sites: •  Anyone with long link can edit sheet, per our config. •  Pastebin (Surface Web) •  Paste.org.ru (Surface Web) •  Stronghold (Dark Web) 9
Ethics •  No info about real humans in the docs •  No bank accounts or cryptocurrency wallets were harmed during the making of this paper •  We remained in control of Google accounts that hosted the docs; hence, no spamming •  We obtained IRB approval from our university 10
Findings •  Collected data for 1 month •  We observed initial reluctance to visit sheets •  Maybe leaked links appeared suspicious? 11 0 5 10 15 20 25 30 First access: Time elapsed since first leak (hours) 0.0 0.2 0.4 0.6 0.8 1.0 CDF
Findings: accesses •  235 accesses (file open events) to 98 sheets •  48 bank sheets + 50 Bitcoin sheets = 98 sheets •  2 sheets were not opened 12 0 5 10 15 20 25 30 35 Time between leak and access (in days) 0 20 40 60 80 100 SheetID Bank Bitcoin
Findings: modifications •  38 modifications in 7 sheets •  No bank sheet was modified •  Only Bitcoin sheets were modified •  Expanded columns containing fake Bitcoin addresses to get a better view 13
Findings: edits •  A Bitcoin address was replaced with another •  Possibly a yet-to-be-used Bitcoin address with fraudulent intent •  Or fake Bitcoin address made up by visitor •  Blockchain.info lookup yielded no result •  (Accidental?) cut-and-paste operation of original data in range of cells •  Bitcoin addresses replaced with string: •  qzpweklwh85u0h2x44ffv4tsfhxww96v8c7kylnwyu •  Yet to figure out what it means 14
Findings: clicks on honey URLs •  219 clicks on honey URLs, from 30 countries •  135 bank clicks + 84 Bitcoin clicks = 219 clicks •  Many clicks from Europe •  But…TOR usage and (VPNs, proxies, potentially) means that we can’t say for sure that the locations are true 15
Findings: clicks on honey URLs •  More bank URL clicks than Bitcoin URL clicks •  Contrary to our expectations 16 0 5 10 15 20 Link click counts 0.0 0.2 0.4 0.6 0.8 1.0 CDF Bank Bitcoin
Findings: IP addresses and browsers •  34% of IP addresses that clicked on payment URLs: TOR •  Covered their tracks •  Various browsers were observed during visits •  Firefox was popular among visitors (more than 80% share) 17 Bank Bitcoin 0.0 0.2 0.4 0.6 0.8 1.0 Fractionofclicks Firefox Chrome Opera Edge Internet Explorer Safari Other
Recap + potential application •  Bank docs versus Bitcoin docs: •  Document modification activity differs per content of doc •  URL clicking behaviour differs too •  This knowledge can possibly be used to develop new ways to protect cloud docs •  E.g., statistical models of benign versus malicious behaviour per content type •  Defacement could perhaps signal anomalous behaviour? 18
Limitations •  Limited visibility since visitors did not have to log in •  No auth means no granular records of accesses •  Hard to update scripts in our honeypot system once deployed •  Visitors can simply copy sheet contents and use them offline •  Our monitor system works best when visitors stay in the docs 19
Future work •  Continue exploring more cloud docs •  Make honey docs more believable and hide a few real credentials in the midst of fake credentials •  Study the impact of demographic attributes of online accounts and docs on the behaviour of criminals that steal them 20
Thanks •  Questions? •  Email jonaolapo@neu.ccs.edu •  Twitter @jerryola •  Papers https://jonaolapo.github.io/publications.html 21

Recommended

CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
Confidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataConfidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataMaximilian Ott
 
Create a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADECreate a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADERocket Software
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsGoutama Bachtiar
 
Fraud risk management in banks
Fraud risk management in banksFraud risk management in banks
Fraud risk management in bankssathyananda prabhu
 
ETHICS09 - Case Study - The Cuckoo's Egg
ETHICS09 - Case Study - The Cuckoo's EggETHICS09 - Case Study - The Cuckoo's Egg
ETHICS09 - Case Study - The Cuckoo's EggMichael Heron
 

Recommended

CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
Confidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataConfidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataMaximilian Ott
 
Create a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADECreate a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADERocket Software
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsGoutama Bachtiar
 
Fraud risk management in banks
Fraud risk management in banksFraud risk management in banks
Fraud risk management in bankssathyananda prabhu
 
ETHICS09 - Case Study - The Cuckoo's Egg
ETHICS09 - Case Study - The Cuckoo's EggETHICS09 - Case Study - The Cuckoo's Egg
ETHICS09 - Case Study - The Cuckoo's EggMichael Heron
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
Cybercrime
CybercrimeCybercrime
Cybercrimepromit
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxManahari Darshika Pemarathna
 
Phishing
PhishingPhishing
Phishingshivli0769
 
Phishing
PhishingPhishing
PhishingArchit Mohanty
 
Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...
Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...
Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...Ingo Weber
 
Phishing
PhishingPhishing
Phishingguicelacatalina
 
Final cyber crime and security
Final cyber crime and securityFinal cyber crime and security
Final cyber crime and securitynikunjandy
 
Cyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
Cyber Crime In Nepal: Threats And Minimize The Cyber Security IssuesCyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
Cyber Crime In Nepal: Threats And Minimize The Cyber Security IssuesICT Frame Magazine Pvt. Ltd.
 
ToR - Deep Web
ToR - Deep Web ToR - Deep Web
ToR - Deep Web Murray Security Services
 
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...Jeremiah Onaolapo
 
Week 3 - Cryptocurrencies
Week 3 - CryptocurrenciesWeek 3 - Cryptocurrencies
Week 3 - CryptocurrenciesRoger Royse
 
Bitcoin presentation slides
Bitcoin presentation slidesBitcoin presentation slides
Bitcoin presentation slidesAhmad Asad
 
What is Blockchain and why should we care?
What is Blockchain and why should we care?What is Blockchain and why should we care?
What is Blockchain and why should we care?Paul Johnston
 
Blockchain 101
Blockchain 101Blockchain 101
Blockchain 101Hamed Mohamadi
 
Cryptocurrency & Regulatory Environment
Cryptocurrency & Regulatory EnvironmentCryptocurrency & Regulatory Environment
Cryptocurrency & Regulatory EnvironmentPriyab Satoshi
 
Blockchain as a new cyber strategy for your business
Blockchain as a new cyber strategy for your businessBlockchain as a new cyber strategy for your business
Blockchain as a new cyber strategy for your businessDavid Joao Vieira Carvalho
 
Bitcoin as an Emerging Technology Written Report
Bitcoin as an Emerging Technology Written ReportBitcoin as an Emerging Technology Written Report
Bitcoin as an Emerging Technology Written ReportShane Hickey
 
02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...
02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...
02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...eMadrid network
 
Blockchain tutorial for MBA
Blockchain tutorial for MBABlockchain tutorial for MBA
Blockchain tutorial for MBABlokcert
 
Leveraging IOT and Latest Technologies
Leveraging IOT and Latest TechnologiesLeveraging IOT and Latest Technologies
Leveraging IOT and Latest TechnologiesMithileysh Sathiyanarayanan
 
How blockchain will impact search engines
How blockchain will impact search enginesHow blockchain will impact search engines
How blockchain will impact search enginesVictoria Olsina
 

More Related Content

What's hot

F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
Cybercrime
CybercrimeCybercrime
Cybercrimepromit
 
Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...
Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...
Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...Ingo Weber
 
Final cyber crime and security
Final cyber crime and securityFinal cyber crime and security
Final cyber crime and securitynikunjandy
 
Cyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
Cyber Crime In Nepal: Threats And Minimize The Cyber Security IssuesCyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
Cyber Crime In Nepal: Threats And Minimize The Cyber Security IssuesICT Frame Magazine Pvt. Ltd.
 

What's hot (10)

F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptx
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...
Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...
Blockchains and Smart Contracts: Architecture Design and Model-Driven Develop...
 
Phishing
PhishingPhishing
Phishing
 
Final cyber crime and security
Final cyber crime and securityFinal cyber crime and security
Final cyber crime and security
 
Cyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
Cyber Crime In Nepal: Threats And Minimize The Cyber Security IssuesCyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
Cyber Crime In Nepal: Threats And Minimize The Cyber Security Issues
 
ToR - Deep Web
ToR - Deep Web ToR - Deep Web
ToR - Deep Web
 

Similar to Master of Sheets: A Tale of Compromised Cloud Documents

What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...Jeremiah Onaolapo
 
Week 3 - Cryptocurrencies
Week 3 - CryptocurrenciesWeek 3 - Cryptocurrencies
Week 3 - CryptocurrenciesRoger Royse
 
Bitcoin presentation slides
Bitcoin presentation slidesBitcoin presentation slides
Bitcoin presentation slidesAhmad Asad
 
What is Blockchain and why should we care?
What is Blockchain and why should we care?What is Blockchain and why should we care?
What is Blockchain and why should we care?Paul Johnston
 
Cryptocurrency & Regulatory Environment
Cryptocurrency & Regulatory EnvironmentCryptocurrency & Regulatory Environment
Cryptocurrency & Regulatory EnvironmentPriyab Satoshi
 
Blockchain as a new cyber strategy for your business
Blockchain as a new cyber strategy for your businessBlockchain as a new cyber strategy for your business
Blockchain as a new cyber strategy for your businessDavid Joao Vieira Carvalho
 
Bitcoin as an Emerging Technology Written Report
Bitcoin as an Emerging Technology Written ReportBitcoin as an Emerging Technology Written Report
Bitcoin as an Emerging Technology Written ReportShane Hickey
 
02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...
02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...
02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...eMadrid network
 
Blockchain tutorial for MBA
Blockchain tutorial for MBABlockchain tutorial for MBA
Blockchain tutorial for MBABlokcert
 
How blockchain will impact search engines
How blockchain will impact search enginesHow blockchain will impact search engines
How blockchain will impact search enginesVictoria Olsina
 
Blockchain Tutorial and Facebook Libra Ver. 190620
Blockchain Tutorial and Facebook Libra Ver. 190620Blockchain Tutorial and Facebook Libra Ver. 190620
Blockchain Tutorial and Facebook Libra Ver. 190620Blokcert
 
Bitcoin - Introduction, Technical Aspects and Ongoing Developments
Bitcoin - Introduction, Technical Aspects and Ongoing DevelopmentsBitcoin - Introduction, Technical Aspects and Ongoing Developments
Bitcoin - Introduction, Technical Aspects and Ongoing DevelopmentsBernhard Haslhofer
 
John Davies of C24 - BlockChain - Blockbuster or Bullshit?
John Davies of C24 - BlockChain - Blockbuster or Bullshit?John Davies of C24 - BlockChain - Blockbuster or Bullshit?
John Davies of C24 - BlockChain - Blockbuster or Bullshit?Joe Baguley
 
Blockchain and Cryptocurrency
Blockchain and CryptocurrencyBlockchain and Cryptocurrency
Blockchain and CryptocurrencyKumar Magar
 
Blockchain Introduction - Canada Nov 2017.pptx
Blockchain Introduction - Canada Nov 2017.pptxBlockchain Introduction - Canada Nov 2017.pptx
Blockchain Introduction - Canada Nov 2017.pptxAntony Welfare
 
Bitcoin a road ahead
Bitcoin a road aheadBitcoin a road ahead
Bitcoin a road ahead8111960263
 

Similar to Master of Sheets: A Tale of Compromised Cloud Documents (20)

What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
 
Week 3 - Cryptocurrencies
Week 3 - CryptocurrenciesWeek 3 - Cryptocurrencies
Week 3 - Cryptocurrencies
 
Bitcoin presentation slides
Bitcoin presentation slidesBitcoin presentation slides
Bitcoin presentation slides
 
What is Blockchain and why should we care?
What is Blockchain and why should we care?What is Blockchain and why should we care?
What is Blockchain and why should we care?
 
Blockchain 101
Blockchain 101Blockchain 101
Blockchain 101
 
Cryptocurrency & Regulatory Environment
Cryptocurrency & Regulatory EnvironmentCryptocurrency & Regulatory Environment
Cryptocurrency & Regulatory Environment
 
Blockchain as a new cyber strategy for your business
Blockchain as a new cyber strategy for your businessBlockchain as a new cyber strategy for your business
Blockchain as a new cyber strategy for your business
 
Bitcoin as an Emerging Technology Written Report
Bitcoin as an Emerging Technology Written ReportBitcoin as an Emerging Technology Written Report
Bitcoin as an Emerging Technology Written Report
 
02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...
02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...
02_07_2018_«El valor de blockchain en el registro de la actividad académica: ...
 
Blockchain tutorial for MBA
Blockchain tutorial for MBABlockchain tutorial for MBA
Blockchain tutorial for MBA
 
Leveraging IOT and Latest Technologies
Leveraging IOT and Latest TechnologiesLeveraging IOT and Latest Technologies
Leveraging IOT and Latest Technologies
 
How blockchain will impact search engines
How blockchain will impact search enginesHow blockchain will impact search engines
How blockchain will impact search engines
 
Blockchain Tutorial and Facebook Libra Ver. 190620
Blockchain Tutorial and Facebook Libra Ver. 190620Blockchain Tutorial and Facebook Libra Ver. 190620
Blockchain Tutorial and Facebook Libra Ver. 190620
 
Bitcoin - Introduction, Technical Aspects and Ongoing Developments
Bitcoin - Introduction, Technical Aspects and Ongoing DevelopmentsBitcoin - Introduction, Technical Aspects and Ongoing Developments
Bitcoin - Introduction, Technical Aspects and Ongoing Developments
 
John Davies of C24 - BlockChain - Blockbuster or Bullshit?
John Davies of C24 - BlockChain - Blockbuster or Bullshit?John Davies of C24 - BlockChain - Blockbuster or Bullshit?
John Davies of C24 - BlockChain - Blockbuster or Bullshit?
 
Blockchain and Cryptocurrency
Blockchain and CryptocurrencyBlockchain and Cryptocurrency
Blockchain and Cryptocurrency
 
BitCoin, P2P, Distributed Computing
BitCoin, P2P, Distributed ComputingBitCoin, P2P, Distributed Computing
BitCoin, P2P, Distributed Computing
 
Blockchain Introduction - Canada Nov 2017.pptx
Blockchain Introduction - Canada Nov 2017.pptxBlockchain Introduction - Canada Nov 2017.pptx
Blockchain Introduction - Canada Nov 2017.pptx
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Bitcoin a road ahead
Bitcoin a road aheadBitcoin a road ahead
Bitcoin a road ahead
 

Recently uploaded

GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...Lokesh Kothari
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxFarihaAbdulRasheed
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Lokesh Kothari
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Sérgio Sacani
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)Areesha Ahmad
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPirithiRaju
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPirithiRaju
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)Areesha Ahmad
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​kaibalyasahoo82800
 
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICESAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICEayushi9330
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxRizalinePalanog2
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)Areesha Ahmad
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bSérgio Sacani
 
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verifiedConnaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verifiedDelhi Call girls
 
Chemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfChemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfSumit Kumar yadav
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000Sapana Sha
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticssakshisoni2385
 
Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .Poonam Aher Patil
 
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...chandars293
 

Recently uploaded (20)

GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICESAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
 
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verifiedConnaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
Connaught Place, Delhi Call girls :8448380779 Model Escorts | 100% verified
 
Chemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfChemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdf
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
 
Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .
 
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
 

Master of Sheets: A Tale of Compromised Cloud Documents

  • 1. MASTER OF SHEETS: A Tale of Compromised Cloud Documents Jeremiah Onaolapo | Northeastern University Martin Lazarov | University College London Gianluca Stringhini | Boston University IEEE EuroS&P WACCO. June 20, 2019. Stockholm, Sweden.
  • 2. Heists of epic proportions 2 *insert next data breach here* *insert yet another data breach here* *ugh! stolen cryptocurrency stash*
  • 3. Cloud docs, sitting ducks? •  Ubiquitous adoption of cloud storage for docs •  As of 2014, 21% of EU citizens stored docs in cloud* •  Some docs contain sensitive info, e.g., financial •  Docs become attractive targets for cybercriminals 3 *https://ec.europa.eu/eurostat/statistics-explained/index.php/Internet_and_cloud_services_-_statistics_on_the_use_by_individuals
  • 4. Research focus •  Hard to study attacker behaviour in docs •  Unless one has control of large online service, say Google •  Our scenario: compromised financial docs •  Traditional bank accounts + cryptocurrency wallets in cloud docs 4
  • 5. Research focus •  What happens to docs after compromise? •  What do criminals do with stolen docs? •  What type of financial info do they find interesting; bank versus cryptocurrency? •  Which tools can help us answer these questions? 5
  • 6. Cloud docs honeypot 6 Based on docs honeypot system in Honey Sheets: What Happens To Leaked Google Spreadsheets? Martin Lazarov, Jeremiah Onaolapo, Gianluca Stringhini. USENIX CSET 2016, Austin, USA.
  • 7. Our setup •  100 fake payroll sheets •  1000 fake records, i.e., fake personal details •  Fake bank accounts (based on 5 UK banks) •  Fake cryptocurrency wallets 7
  • 9. Leaking long links •  To lure visitors to sheets, we leaked long links via paste sites: •  Anyone with long link can edit sheet, per our config. •  Pastebin (Surface Web) •  Paste.org.ru (Surface Web) •  Stronghold (Dark Web) 9
  • 10. Ethics •  No info about real humans in the docs •  No bank accounts or cryptocurrency wallets were harmed during the making of this paper •  We remained in control of Google accounts that hosted the docs; hence, no spamming •  We obtained IRB approval from our university 10
  • 11. Findings •  Collected data for 1 month •  We observed initial reluctance to visit sheets •  Maybe leaked links appeared suspicious? 11 0 5 10 15 20 25 30 First access: Time elapsed since first leak (hours) 0.0 0.2 0.4 0.6 0.8 1.0 CDF
  • 12. Findings: accesses •  235 accesses (file open events) to 98 sheets •  48 bank sheets + 50 Bitcoin sheets = 98 sheets •  2 sheets were not opened 12 0 5 10 15 20 25 30 35 Time between leak and access (in days) 0 20 40 60 80 100 SheetID Bank Bitcoin
  • 13. Findings: modifications •  38 modifications in 7 sheets •  No bank sheet was modified •  Only Bitcoin sheets were modified •  Expanded columns containing fake Bitcoin addresses to get a better view 13
  • 14. Findings: edits •  A Bitcoin address was replaced with another •  Possibly a yet-to-be-used Bitcoin address with fraudulent intent •  Or fake Bitcoin address made up by visitor •  Blockchain.info lookup yielded no result •  (Accidental?) cut-and-paste operation of original data in range of cells •  Bitcoin addresses replaced with string: •  qzpweklwh85u0h2x44ffv4tsfhxww96v8c7kylnwyu •  Yet to figure out what it means 14
  • 15. Findings: clicks on honey URLs •  219 clicks on honey URLs, from 30 countries •  135 bank clicks + 84 Bitcoin clicks = 219 clicks •  Many clicks from Europe •  But…TOR usage and (VPNs, proxies, potentially) means that we can’t say for sure that the locations are true 15
  • 16. Findings: clicks on honey URLs •  More bank URL clicks than Bitcoin URL clicks •  Contrary to our expectations 16 0 5 10 15 20 Link click counts 0.0 0.2 0.4 0.6 0.8 1.0 CDF Bank Bitcoin
  • 17. Findings: IP addresses and browsers •  34% of IP addresses that clicked on payment URLs: TOR •  Covered their tracks •  Various browsers were observed during visits •  Firefox was popular among visitors (more than 80% share) 17 Bank Bitcoin 0.0 0.2 0.4 0.6 0.8 1.0 Fractionofclicks Firefox Chrome Opera Edge Internet Explorer Safari Other
  • 18. Recap + potential application •  Bank docs versus Bitcoin docs: •  Document modification activity differs per content of doc •  URL clicking behaviour differs too •  This knowledge can possibly be used to develop new ways to protect cloud docs •  E.g., statistical models of benign versus malicious behaviour per content type •  Defacement could perhaps signal anomalous behaviour? 18
  • 19. Limitations •  Limited visibility since visitors did not have to log in •  No auth means no granular records of accesses •  Hard to update scripts in our honeypot system once deployed •  Visitors can simply copy sheet contents and use them offline •  Our monitor system works best when visitors stay in the docs 19
  • 20. Future work •  Continue exploring more cloud docs •  Make honey docs more believable and hide a few real credentials in the midst of fake credentials •  Study the impact of demographic attributes of online accounts and docs on the behaviour of criminals that steal them 20
  • 21. Thanks •  Questions? •  Email jonaolapo@neu.ccs.edu •  Twitter @jerryola •  Papers https://jonaolapo.github.io/publications.html 21