Research carried out by Google engineers and academics from the University of California, Berkeley and the International Computer Science Institute has revealed that phishing attacks pose a more significant threat to users losing access to their Google accounts when compared to keyloggers or password reuse.
Researchers reached these results after studying and analyzing data from multiple black markets peddling access to user accounts and user credentials. The study examined data advertised on these black markets between March 2016 and March 2017.
The research team says it found over 788,000 credentials stolen via keyloggers, 12.4 million credentials stolen via phishing, and 1.9 billion credentials exposed by third-party breaches.
From all the data researchers collected, they said that 12% of all records they found exposed via breaches at other services were for accounts registered via Gmail addresses.
For 7% of these accounts registered with Gmail addresses, the user had also reused his Google password at the other account, putting both in danger.
Despite this finding, Google said that data sold by hackers who claimed they obtained it via phishing kits and keyloggers contained many more valid passwords.
Depending on the type of phishing kit or keylogger the crook had used, these datasets contained between 12% and 25% valid Google passwords.
Google also said it used the results of this study to reset passwords for affected accounts.
"By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches," Google researchers said.
"We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims," the research team added.
In addition, researchers also spotted a rising trend in keyloggers and phishing kits, which are now logging IP addresses and other geolocation data in an attempt to fool geo-based protection filters, while other more complex attack kits also log phone numbers and user-agent string data.
A summary of the study's more important findings is below:
The research team presented their study at the Conference on Computer and Communications Security (CCS). Their work is entitled "Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials," and is available for download as a PDF from here or here.