When it comes to loosing access to their accounts, phishing is a greater threat to users than keyloggers and third-party breaches, researchers have found.
How many valid credentials?
The group, which includes researchers from Google, University of California, Berkeley, and the International Computer Science Institute, scoured private and public forums, paste sites, and search index sites from March 2016 to March 2017, and identified 788,000 potential victims of keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches.
Using this dataset, they explored to what degree the passwords stolen from various online services enable an attacker to obtain a victim’s valid email credentials and, therefore, to gain access to and hijack their accounts.
As Google researchers were involved in the research, the group was able to check whether the stolen credentials can be used to access Google accounts without actually accessing them.
They found that 7% of victims in third-party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.
“Hijackers also have varying success at emulating the historical login behavior and device profile of targeted accounts. We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. Keyloggers fall in between these extremes, with an odds ratio of roughly 40x,” the researchers noted.
The reason for this is that phishing kits also actively steal additional authentication factors (secret questions, phone number, device-related information, geolocation data) that can be used to impersonate the victim and bypass protections put in place by email (and other online service) providers.
Other revelations from the research
The researchers found that:
- Credential leaks and phishing largely affect victims in the US and Europe, while keyloggers disproportionately affect victims in Turkey, the Philippines, Malaysia, Thailand, and Iran.
- The most popular phishing kit—a website emulating Gmail, Yahoo, and Hotmail logins—was used by 2,599 blackhat actors to steal 1.4 million credentials
- The most popular keylogger—HawkEye—was used by 470 blac khat actors to generate 409,000 reports of user activity on infected devices.
- Operators of both phishing kits and keyloggers concentrate in Nigeria, followed by other nations in Africa and South-East Asia.
Google forced a password reset for users whose credentials were found exposed. Also, they were able to come to some conclusions from account recovery efforts by their users.
“Roughly 70.5% of hijacked users successfully pass these challenges to recover their account. A me- dian user takes 168 days to re-secure their account. This long delay arrives in part from users being unaware they are hijacked, and Google lacking an alternate notification mechanism in the absence of a recovery phone or recovery email,” the researchers noted.
“For those users that do successfully recover from a hijacking incident, we examine what fraction change their security posture post-recovery. We find only limited evidence of improving account security: roughly 3.1% of users enable second-factor authentication. Our results suggest there is a significant gap in educating users about how to protect their accounts from further risk.”