Phishing is a greater threat to users than keyloggers and third-party breaches, a research group found.
Researchers hunted through private and public forums, paste sites, and search index sites for one year and identified 788,000 potential victims of keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches.
The group included researchers from Google, University of California, Berkeley, and the International Computer Science Institute.
Using this dataset, they explored to what degree the passwords stolen from various online services enable an attacker to obtain a victim’s valid email credentials and gain access to their accounts.
As Google researchers were involved in the research, the group could check whether the stolen credentials could end up used to access Google accounts without actually accessing them.
They found 7 percent of victims in third-party data breaches have their current Google password exposed, compared to 12 percent of keylogger victims and 25 percent of phishing victims.
“Hijackers also have varying success at emulating the historical login behavior and device profile of targeted accounts. We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims,” researchers said in a post.
The reason for this is phishing kits also actively steal additional authentication factors that can end up used to impersonate the victim and bypass protections put in place by email (and other online service) providers.
In addition, researchers also found:
• Credential leaks and phishing largely affect victims in the U.S. and Europe
• The most popular phishing kit — a website emulating Gmail, Yahoo, and Hotmail logins — was used by 2,599 attackers to steal 1.4 million credentials
• The most popular keylogger — HawkEye — was used by 470 attackers to generate 409,000 reports of user activity on infected devices
Google forced a password reset for users whose credentials were found exposed. Also, they were able to come to some conclusions from account recovery efforts by their users.
“Roughly 70.5 percent of hijacked users successfully pass these challenges to recover their account. A me- dian user takes 168 days to re-secure their account. This long delay arrives in part from users being unaware they are hijacked, and Google lacking an alternate notification mechanism in the absence of a recovery phone or recovery email,” the researchers said. “Our results suggest there is a significant gap in educating users about how to protect their accounts from further risk.”