[BreachExchange] Big Breaches Are Bad; Phishing and Keyloggers May Be Worse

Mon Nov 13 19:52:06 EST 2017

https://www.databreachtoday.com/big-breaches-are-bad-
phishing-keyloggers-may-be-worse-a-10450

Massive data breaches at big businesses, such as Yahoo, LinkedIn and Adobe,
have raised business awareness that criminals may attempt to seize their
users' accounts. But users' widespread reuse of login credentials, plus a
general lack of basic defenses by so many businesses, continue to leave the
public at risk.

A new study suggests that massive data breaches, which appear to be
somewhat rare, do not necessarily pose the biggest risk to organizations.
Instead, organizations are being felled by pedestrian schemes - think
phishing and keyloggers - and tactics that have remained unchanged since
the mid-2000s.

"Our results illustrate that credential theft is a multi-pronged problem,"
write researchers from Google, the University of California Berkeley and
the International Computer Science Institute in a research paper. "Even
absent the relatively rare data breaches that exposed hundreds of millions
of credentials in a single incident, there are still hundreds of thousands
of users that fall victim to phishing and keyloggers every week - and that
only conveys what we detect."

Phishing and spoofing - the creation of fraudulent, look-alike web pages
that are convincing enough to trick people into divulging login credentials
- were core to the suspected Russian campaign to disrupt last year's U.S.
presidential election. Email accounts for key Democratic political figures
were compromised, fueling a steady stream of distracting leaks (see DNC
Breach More Severe Than First Believed).

Even if people realize they've been compromised, however, many rarely take
action to improve their defenses. "Our own results indicated that less than
3.1 percent who fall victim to hijacking subsequently enable any form of
two-factor authentication after recovering their account," the researchers
write in their paper.

Problem: Recycled Login Credentials

The researchers say their study is the first longitudinal measurement of
how successful the acquisition of recycled login credentials is in taking
over someone's Gmail account.

Google's search crawler was used to monitor five public blackhat subforums
where stolen credentials are traded, plus 115 paste sites. Researchers also
looked at the capabilities of more than 10,000 phishing kits and more than
15,000 keylogger binaries.

>From March 2016 through March of this year, researchers identified
potential credential-theft victims and found 1.9 billion usernames and
passwords on the underground forums that resulted from data breaches.
Phishing kits potentially compromised 12.4 million victims, and
off-the-shelf keyloggers hit as many as 788,000 people, the study shows.

Whether an attacker used a keylogger or a phishing kit had a dramatic
difference as to whether a Gmail account could be compromised.

"We find that victims of phishing are 400 times more likely to be
successfully hijacked compared to a random Google user," the researchers
write. "In comparison, this rate falls to 10 times for data breach victims
and roughly 40 times for keylogger victims."

Unlike keyloggers, phishing kits collect a range of other useful
information that helps defeat systems designed to detect suspicious login
attempts. Some 83 percent of phishing kits collect geolocation information,
which is often a strong indicator someone is trying to illegally access an
account, the study shows.

Eighteen percent of phishing kits collect a phone number, while 16 percent
collect user-agent data, which comprises various parameters encompassing
the operating system in use, versions of software and web browser details,
according to the study. That enables attackers to attempt to more closely
mimic someone when trying to access an account.

Amazingly, keyloggers and phishing kits haven't changed much over the past
decade. Many phishing kits, for example, for years have used the same PHP
framework and reporting mechanisms for transmitting stolen credentials to
attackers.

"We observe a remarkable lack of external pressure on bad actors, with
phishing kit playbooks and keylogger capabilities remaining largely
unchanged since the mid-2000s," the researchers write.

Use TFA and a Password Manager

The findings add hard data to confirm what was already largely known:
Password reuse fuels successful credential theft schemes and puts users at
great risk. Of all of the passwords the researchers collected, 7 percent to
25 percent could unlock a Gmail account.

Hardened defenses, including "unphishable" two-factor authentication, are
the key to prevention.

Many two-factor authentication methods, however, still transmit a
time-sensitive login code over SMS. But the U.S. National Institute of
Standards and Technology has urged organizations to move away from using
these one-time tokens, because an attacker could compromise someone's
mobile number and intercept it (see I Hope That No One Gets My (SMS)
Message in a Bottle).

Although two-factor codes are still at risk of being intercepted by
malware, "our results suggest that the threat posed by credential leaks and
phishing is orders of magnitude larger than keyloggers at present," the
researchers say.

Password managers are another good solution, but haven't gained mass
adoption.

"User education remains a major initiative for enhancing account security,"
the researchers write.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171113/a7f15c45/attachment.html>