A study by Google discovered that phishing attacks through fake emails were as effective as compared to data breaches that exposed usernames and passwords.
Cyber criminals or cyber groups manage to steal over 25,000 valid sets of web credentials for Gmail accounts every week, painting a picture of the extent this problem has reached.
Hackers are constantly searching for, and are able to obtain over millions of different platform’s usernames and passwords on dark web marketplaces.
This study was as a result of a team effort with the University of California at Berkeley and the International Computer Science Institute.
The study focused on discovering the most common way in which user accounts get hacked. It also emphasized on the numerous hacking techniques available and which of them was the biggest threat to web users.
“We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (reused) credentials,” the researchers stated.
A 12-month investigation of login and account data found on websites and criminal forums, (or which had been harvested by hacking tools) observed more than 12 million instances of account theft as a result of a phishing attack.
The results showed that hackers were more likely to break into accounts using credentials obtained by phishing.
In addition, 788,000 sets were stolen via keylogging software. The success rate of phishing campaigns and keyloggers were comparable with each having between 12% and 25% of credential pairs with a valid password.
“In total, these sources helped us identify 788,000 credentials stolen by keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches,” Google stated in a blog post on Friday.
Phishing attacks are so far the biggest threat to web users as it is the key to hackers obtaining nearly 234,000 valid names and passwords every week.
There was a clear distinction here as keyloggers, on the other hand, would only average 15,000 valid credentials every week.
Information about a person’s IP address alongside the device used in accessing the web and their physical location would come in handy for hackers seeking to break security checks. The credentials which were breached or stolen also had data on the victims.
The most popular passwords found in data breaches are “123456”, “password”, “123456789”, “111111”, and “qwerty” which topped the list and then followed by “abc123” and “password1.”
According to the research, obtaining this data was very difficult, stating that only 3.8% of people who had credentials leaked also gave out their IP addresses. Less than 0.001% of people had also surrendered their detailed device information.
Over 15% of internet users have reported being victims of a takeover of their email or social media accounts.
Speaking on this issue, Kurt Thomas from Anti-Abuse Research and Angelika Moscicki from Account Security teams at Google stated that: “From March 2016 to March 2017, we analyzed several black markets to see how hijackers steal passwords and sensitive data.”
Google then compared the situation to its existing protections and their 67 million Google account which were secured before they were abused.
“While our study focused on Google, these password stealing tactics pose a risk to all account-based online services. In the case of third-party data breaches, 12 percent of the exposed records included a Gmail address serving as a username and a password,” the blog post stated.
The research has also revealed that a well-orchestrated phishing scheme can be successful as dedicated software programmed to actively steal passwords. Cybercriminals are now opting for simpler techniques rather than the complex nature of managing key logging.
Director at NuData Security, Lisa Baergen, stated that the study’s results raise concerns about the need for employer policies that disallow the employee’s use of off-duty passwords for corporate email accounts, and likewise, the use of workplace emails as secondary verification for personal accounts.
“Cybercrime isn’t ‘loners in the basement’ anymore – it’s highly organized, well-resourced, and technologically advanced,” Baergen stated.
She continued by saying that: “The news of ongoing, massive-scale theft of Gmail credentials should be a wake-up call that it’s time to fundamentally re-think authentication, and incorporate continuous validation techniques data that can’t be mimicked, such as passive biometrics.”
Google also stated that, this should be a precautionary measure and that web users should be adequately educated.
“We are now using these insights to improve our login defenses for all users,” Google stated in the study.” Our findings illustrate the global reach of the underground economy surrounding credential theft and the need to educate users about password managers and unphishable two-factor authentication as a potential solution.”