[BreachExchange] Why you should fear phishing more than data breaches

Mon Nov 13 19:51:50 EST 2017

https://www.csoonline.com/article/3236871/security/why-
you-should-fear-phishing-more-than-data-breaches.html

For some people, Google controls most of their identity online, and losing
access to that critical account could be devastating. A recent study from
Google and UC Berkeley examined the various ways accounts are compromised,
and determined that phishing attacks – not data breaches – pose the most
risk to users when it comes to lost access.

Google's study lasted a year, from March 2016 until March 2017, and looked
to better understand how attackers take over accounts. While phishing,
keylogging, and data breaches impact everyone, Google focused on themselves
as the case study.

"What we learned from the research proved to be immediately useful," two of
the study's authors, Kurt Thomas and Angelika Moscicki, explained. In fact,
the data helped secure some 67 million Google accounts before they could be
abused.

Google's study includes data taken from 25,000 malicious tools used for
phishing and keylogging, which enabled the researchers to identify 788,000
compromised credentials due to keyloggers; 12 million credentials
compromised via phishing; and 3.3 billion credentials exposed due to data
breaches.

Google said the majority of those using phishing kits and keyloggers to
compromise credentials are concentrated in Nigeria, followed by the United
States, Morocco, South Africa, United Kingdom, and Malaysia.

That finding hits close to home. Recently, CSO has been tracking a number
of Office 365 phishing attacks, which use compromised accounts to further
their reach. Many of the attacks that landed in our inboxes can be sourced
back to Nigeria.

While some phishing kits are basic, they serve an essential function;
namely, they often lead users to believe there is a problem, and look just
convincing enough to fool someone into sharing their password and other
identifying information.

Some of the phishing kits observed by Google were collecting additional
details, including IP address, device make and model, phone numbers, and
location – things Google might request for ID verification.

Data collected by Google shows that 80-percent of all the phishing kits
observed targeted usernames, passwords, and geolocation; followed by phone
numbers and device details. A smaller subset of the phishing kits also
targeted secret questions, full names, credit card data, and Social
Security Numbers.

For this reason, Google explained, it was determined that phishing posed
the greatest threat, followed closely by keylogging.

Based on the data, Google said that only seven percent of the passwords
exposed by a data breach were still being used by their users, compared to
12 or 25-percent of the passwords exposed by phishing or keylogging.

As such, in the grand scheme of things, while having a large impact on
services where password reuse is common, data breaches ranked last.

During the study's timeline, Google determined that, unfortunately, most
users who fell victim to a phishing attack remained unaware that their
account was at risk. However, one upside to the data collected is that most
victims are only impacted once, as only two percent of those in the dataset
were successfully phished a second time.

Taking all of the data into account, Gmail, followed by Yahoo and Hotmail
respectively, were the top three domains for phishing and keylogging
victims. A majority of the phishing victims reside in the United States,
while the keylogging victims are mostly in Brazil and India.

Ranked in order, Google's study shows that Gmail, Yahoo, and Hotmail were
the top brands impersonated, followed by workspace email accounts, Dropbox,
Google Drive, DocuSign, ZoomInfo, Office 365, and AOL.

The study also makes note that while two-factor authentication would help
mitigate problems associated with phishing, there are serious hurdles to
wide-adoption, including ease of use, recovery from loss, and getting
consumers to trust third-parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171113/e3a507d4/attachment.html>