We all have digital enemies in common -- phishing, keylogging and third-party breaches -- that threaten our online credentials. But exactly how do hijackers pilfer our email and social account information to trade on black markets?
After all, some 15 percent of Internet users have been victimized by a hijack, according to Google, based on data compiled in a new year-long study executed jointly with the University of California, Berkeley. Google presented the findings at the recent ACM Conference on Computer and Communications Security.
One of its goals, the company said, was to find new and better ways to safeguard its users’ confidential information before they were exploited. The other was to share the study's data with other online services for the greater good. On the way, using its own 67 million accounts as a case study, Google tracked several black markets in which third-party passwords changed hands, along with 25,000 blackhat tools used for phishing and keylogging.
The takeaway? Ranking the relative risk to users, phishing is, by far, the most potent threat to online safety, followed by keyloggers and third-party hackers. Actually, it’s not even close. Google found 788,000 credentials pilfered by keylogging, 12.4 million potential victims of phishing kits, and 3.3 billion accounts exposed in third-party breaches and traded on black market forums. Together with credential leaks, phishing and third-party leaks dwarf keyloggers.
To what degree do stolen passwords enable an attacker to obtain a victim's valid email credentials? In 12 percent of the exposed records in third-party breaches a Gmail address was used as a username and password. Seven percent of those were reused for other services. With phishing and keylogging, between 12 percent and 25 percent of attacks yielded a valid password.
“Because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity,” wrote Google anti-abuse researcher Kurt Thomas and account security specialist Angelika Moscicki, in a blog post.
A total of 82 percent of blackhat phishing tools and 74 percent of keyloggers attempted to collect a user’s IP address and location, while another 18 percent of tools collected phone numbers and device make and model, they said.
The study’s findings are “clear,” Thomas and Moscicki said. As hackers become more sophisticated and persistent, so must defenders. “Enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets,” the researchers wrote. “While we have already applied these insights to our existing protections, our findings are yet another reminder that we must continuously evolve our defenses in order to stay ahead of these bad actors and keep users safe.”
As for Google, the company said it will continue to rely on a layered approach to security covering prevention, detection and mitigation “to keep your account safe.”