Slides presented at IEEE EuroS&P WACCO (workshop) on June 20, 2019. Stockholm, Sweden. The full paper is available at https://jonaolapo.github.io/papers/wacco19sheetshoney.pdf
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
Master of Sheets: A Tale of Compromised Cloud Documents
1. MASTER OF SHEETS:
A Tale of Compromised Cloud Documents
Jeremiah Onaolapo | Northeastern University
Martin Lazarov | University College London
Gianluca Stringhini | Boston University
IEEE EuroS&P WACCO. June 20, 2019. Stockholm, Sweden.
2. Heists of epic proportions
2
*insert next data
breach here*
*insert yet another
data breach here*
*ugh! stolen
cryptocurrency stash*
3. Cloud docs, sitting ducks?
• Ubiquitous adoption of cloud storage for docs
• As of 2014, 21% of EU citizens stored docs in cloud*
• Some docs contain sensitive info, e.g., financial
• Docs become attractive targets for cybercriminals
3
*https://ec.europa.eu/eurostat/statistics-explained/index.php/Internet_and_cloud_services_-_statistics_on_the_use_by_individuals
4. Research focus
• Hard to study attacker behaviour in docs
• Unless one has control of large online service, say Google
• Our scenario: compromised financial docs
• Traditional bank accounts + cryptocurrency wallets in cloud docs
4
5. Research focus
• What happens to docs after compromise?
• What do criminals do with stolen docs?
• What type of financial info do they find interesting; bank
versus cryptocurrency?
• Which tools can help us answer these questions?
5
6. Cloud docs honeypot
6
Based on docs honeypot system in Honey Sheets: What Happens To Leaked Google Spreadsheets?
Martin Lazarov, Jeremiah Onaolapo, Gianluca Stringhini. USENIX CSET 2016, Austin, USA.
7. Our setup
• 100 fake payroll sheets
• 1000 fake records, i.e., fake personal details
• Fake bank accounts (based on 5 UK banks)
• Fake cryptocurrency wallets
7
9. Leaking long links
• To lure visitors to sheets, we leaked long links via paste
sites:
• Anyone with long link can edit sheet, per our config.
• Pastebin (Surface Web)
• Paste.org.ru (Surface Web)
• Stronghold (Dark Web)
9
10. Ethics
• No info about real humans in the docs
• No bank accounts or cryptocurrency wallets were harmed during
the making of this paper
• We remained in control of Google accounts that hosted
the docs; hence, no spamming
• We obtained IRB approval from our university
10
11. Findings
• Collected data for 1 month
• We observed initial reluctance to visit sheets
• Maybe leaked links appeared suspicious?
11
0 5 10 15 20 25 30
First access: Time elapsed since first leak (hours)
0.0
0.2
0.4
0.6
0.8
1.0
CDF
12. Findings: accesses
• 235 accesses (file open events) to 98 sheets
• 48 bank sheets + 50 Bitcoin sheets = 98 sheets
• 2 sheets were not opened
12
0 5 10 15 20 25 30 35
Time between leak and access (in days)
0
20
40
60
80
100
SheetID
Bank
Bitcoin
13. Findings: modifications
• 38 modifications in 7 sheets
• No bank sheet was modified
• Only Bitcoin sheets were modified
• Expanded columns containing fake Bitcoin addresses to get a
better view
13
14. Findings: edits
• A Bitcoin address was replaced with another
• Possibly a yet-to-be-used Bitcoin address with fraudulent intent
• Or fake Bitcoin address made up by visitor
• Blockchain.info lookup yielded no result
• (Accidental?) cut-and-paste operation of original data in
range of cells
• Bitcoin addresses replaced with string:
• qzpweklwh85u0h2x44ffv4tsfhxww96v8c7kylnwyu
• Yet to figure out what it means
14
15. Findings: clicks on honey URLs
• 219 clicks on honey URLs, from 30 countries
• 135 bank clicks + 84 Bitcoin clicks = 219 clicks
• Many clicks from Europe
• But…TOR usage and (VPNs, proxies, potentially) means that we
can’t say for sure that the locations are true
15
16. Findings: clicks on honey URLs
• More bank URL clicks than Bitcoin URL clicks
• Contrary to our expectations
16
0 5 10 15 20
Link click counts
0.0
0.2
0.4
0.6
0.8
1.0
CDF
Bank
Bitcoin
17. Findings: IP addresses and browsers
• 34% of IP addresses that clicked on payment URLs: TOR
• Covered their tracks
• Various browsers were observed during visits
• Firefox was popular among visitors (more than 80% share)
17
Bank Bitcoin
0.0
0.2
0.4
0.6
0.8
1.0
Fractionofclicks
Firefox
Chrome
Opera
Edge
Internet Explorer
Safari
Other
18. Recap + potential application
• Bank docs versus Bitcoin docs:
• Document modification activity differs per content of doc
• URL clicking behaviour differs too
• This knowledge can possibly be used to develop new
ways to protect cloud docs
• E.g., statistical models of benign versus malicious behaviour per
content type
• Defacement could perhaps signal anomalous behaviour?
18
19. Limitations
• Limited visibility since visitors did not have to log in
• No auth means no granular records of accesses
• Hard to update scripts in our honeypot system
once deployed
• Visitors can simply copy sheet contents and
use them offline
• Our monitor system works best when visitors stay in the docs
19
20. Future work
• Continue exploring more cloud docs
• Make honey docs more believable and hide a few real
credentials in the midst of fake credentials
• Study the impact of demographic attributes of online
accounts and docs on the behaviour of criminals that steal
them
20