Phishing warning

Research carried out by Google engineers and academics from the University of California, Berkeley and the International Computer Science Institute has revealed that phishing attacks pose a more significant threat to users losing access to their Google accounts when compared to keyloggers or password reuse.

Researchers reached these results after studying and analyzing data from multiple black markets peddling access to user accounts and user credentials. The study examined data advertised on these black markets between March 2016 and March 2017.

The research team says it found over 788,000 credentials stolen via keyloggers, 12.4 million credentials stolen via phishing, and 1.9 billion credentials exposed by third-party breaches.

Google used data to reset passwords for vulnerable accounts

From all the data researchers collected, they said that 12% of all records they found exposed via breaches at other services were for accounts registered via Gmail addresses.

For 7% of these accounts registered with Gmail addresses, the user had also reused his Google password at the other account, putting both in danger.

Despite this finding, Google said that data sold by hackers who claimed they obtained it via phishing kits and keyloggers contained many more valid passwords.

Depending on the type of phishing kit or keylogger the crook had used, these datasets contained between 12% and 25% valid Google passwords.

Google also said it used the results of this study to reset passwords for affected accounts.

Google ranks phishing as top threat

"By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches," Google researchers said.

"We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims," the research team added.

In addition, researchers also spotted a rising trend in keyloggers and phishing kits, which are now logging IP addresses and other geolocation data in an attempt to fool geo-based protection filters, while other more complex attack kits also log phone numbers and user-agent string data.

A summary of the study's more important findings is below:

✤ Researchers found that 4,069 distinct phishing kits and 52 keyloggers were responsible for the active attacks in the year-long monitoring sample.
✤ The most popular phishing kit—a website emulating Gmail, Yahoo, and Hotmail logins—was used by 2,599 blackhat actors to steal 1.4 million credentials.
✤ The most popular keylogger—HawkEye—was used by 470 blackhat actors to generate 409,000 reports of user activity on infected devices.
✤ Operators of both phishing kits and keyloggers concentrate in Nigeria, followed by other nations in Africa and South-East Asia.
✤ Researchers collected the bulk of the data from private forums, but they also found data on public forums, paste sites, and search index sites.
✤ Plaintext passwords were found in the leaks, or password hashes were computed back to plaintext format. The top 5 passwords were 123456, password, 123456789, abc123, and password1.
✤ Top brands targeted by phishing kits are Yahoo, Hotmail, and Gmail.

The research team presented their study at the Conference on Computer and Communications Security (CCS). Their work is entitled "Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials," and is available for download as a PDF from here or here.