[BreachExchange] Phishing is a greater threat to users than keyloggers and third-party breaches

[Audrey McNeil]

https://www.helpnetsecurity.com/2017/11/10/account-hijacking-threats/

When it comes to loosing access to their accounts, phishing is a greater
threat to users than keyloggers and third-party breaches, researchers have
found.

How many valid credentials?

The group, which includes researchers from Google, University of
California, Berkeley, and the International Computer Science Institute,
scoured private and public forums, paste sites, and search index sites from
March 2016 to March 2017, and identified 788,000 potential victims of
keyloggers; 12.4 million potential victims of phishing kits; and 1.9
billion usernames and passwords exposed via data breaches.

Using this dataset, they explored to what degree the passwords stolen from
various online services enable an attacker to obtain a victim’s valid email
credentials and, therefore, to gain access to and hijack their accounts.

As Google researchers were involved in the research, the group was able to
check whether the stolen credentials can be used to access Google accounts
without actually accessing them.

They found that 7% of victims in third-party data breaches have their
current Google password exposed, compared to 12% of keylogger victims and
25% of phishing victims.

“Hijackers also have varying success at emulating the historical login
behavior and device profile of targeted accounts. We find victims of
phishing are 400x more likely to be successfully hijacked compared to a
random Google user. In comparison, this rate falls to 10x for data breach
victims and roughly 40x for keylogger victims. Keyloggers fall in between
these extremes, with an odds ratio of roughly 40x,” the researchers noted.

The reason for this is that phishing kits also actively steal additional
authentication factors (secret questions, phone number, device-related
information, geolocation data) that can be used to impersonate the victim
and bypass protections put in place by email (and other online service)
providers.

Other revelations from the research

The researchers found that:

- Credential leaks and phishing largely affect victims in the US and
Europe, while keyloggers disproportionately affect victims in Turkey, the
Philippines, Malaysia, Thailand, and Iran.
- The most popular phishing kit—a website emulating Gmail, Yahoo, and
Hotmail logins—was used by 2,599 blackhat actors to steal 1.4 million
credentials
- The most popular keylogger—HawkEye—was used by 470 blac khat actors to
generate 409,000 reports of user activity on infected devices.
- Operators of both phishing kits and keyloggers concentrate in Nigeria,
followed by other nations in Africa and South-East Asia.

Google forced a password reset for users whose credentials were found
exposed. Also, they were able to come to some conclusions from account
recovery efforts by their users.

“Roughly 70.5% of hijacked users successfully pass these challenges to
recover their account. A me- dian user takes 168 days to re-secure their
account. This long delay arrives in part from users being unaware they are
hijacked, and Google lacking an alternate notification mechanism in the
absence of a recovery phone or recovery email,” the researchers noted.

“For those users that do successfully recover from a hijacking incident, we
examine what fraction change their security posture post-recovery. We find
only limited evidence of improving account security: roughly 3.1% of users
enable second-factor authentication. Our results suggest there is a
significant gap in educating users about how to protect their accounts from
further risk.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171110/54367871/attachment.html>