Hacker-for-hire services available online are what we thought they were -- scams and ineffective -- new research published last week by Google and academics from the University of California, San Diego, reveals.

"Using unique online buyer personas, we engaged directly with 27 such account hacking service providers and asked them with compromising victim accounts of our choosing," researchers said.

"These victims in turn were 'honey pot' Gmail accounts, operated in coordination with Google, and allowed us to record key interactions with the victim as well as with other fabricated aspects of their online persona that we created (e.g., business web servers, email addresses of friends or partner)."

The research team said that of the 27 hacking services they engaged, 10 never replied to their inquiries, 12 responded but never actually attempted to launch an attack, and only five ended up launching attacks against the test Gmail accounts.

Of the 12 who responded but never launched any attacks, nine said they were no longer hacking Gmail accounts, while the other three appeared to be scams.

Image: Mirian et al.

Researchers said the services usually charged between $100 and $500 for their services, and none used automated tools for the attacks.

All attacks involved social engineering, with hackers using spear-phishing to fine-tune attacks for each victim. Some hackers asked for details about the victim they were supposed to target, while others didn't bother, and opted to employ re-usable email phishing templates.

The oddity among the five hackers who launched an attack was that one of them tried to infect the victim with malware (a remote access trojan) rather than phish the victim's account credentials. The malware, once installed on the victim's system, would have been able to recover passwords and authentication cookies from local browsers.

Furthermore, one attacker was also able to bypass two-factor authentication (2FA) by redirecting the victim to a spoofed Google login page that harvested both passwords as well as SMS codes and then checking the validity of both in real time.

The research team also found that hackers who learned they'd have to bypass 2FA usually doubled their prices.

Researchers also observed that prices for hacking Gmail accounts also increased across the years, going from $125/account in 2017 to around $400 today. They attributed this rise in pricing to Google improving account security measures.

Image: Mirian et al.

"As a whole, however, we find that the commercialized account hijacking ecosystem is far from mature," the research team said. "We frequently encountered poor customer service, slow responses, and inaccurate advertisements for pricing.

"Further, the current techniques for bypassing 2FA can be mitigated with the adoption of U2F security keys," they added.

Ignoring the scam sites, researchers said they didn't view hacker-for-hire services as a danger for user accounts. This is due to the high prices for hacking each account, but also due to the low quality of service they provide.

More details about this research can be found in a white paper named "Hack for Hire: Exploring the Emerging Market for Account Hijacking."

Last week, Google also published another piece of research showing that adding a recovery phone number to Google accounts greatly diminishes the efficiency of automated hijack attempts.

Related malware and cybercrime coverage: