Big Breaches Are Bad; Phishing and Keyloggers May Be WorseStudy: Every Week, Pedestrian Attacks Compromise Hundreds of Thousands of Credentials
Massive data breaches at big businesses, such as Yahoo, LinkedIn and Adobe, have raised business awareness that criminals may attempt to seize their users' accounts. But users' widespread reuse of login credentials, plus a general lack of basic defenses by so many businesses, continue to leave the public at risk.
A new study suggests that massive data breaches, which appear to be somewhat rare, do not necessarily pose the biggest risk to organizations. Instead, organizations are being felled by pedestrian schemes - think phishing and keyloggers - and tactics that have remained unchanged since the mid-2000s.
"Our results illustrate that credential theft is a multi-pronged problem," write researchers from Google, the University of California Berkeley and the International Computer Science Institute in a research paper. "Even absent the relatively rare data breaches that exposed hundreds of millions of credentials in a single incident, there are still hundreds of thousands of users that fall victim to phishing and keyloggers every week - and that only conveys what we detect."
Phishing and spoofing - the creation of fraudulent, look-alike web pages that are convincing enough to trick people into divulging login credentials - were core to the suspected Russian campaign to disrupt last year's U.S. presidential election. Email accounts for key Democratic political figures were compromised, fueling a steady stream of distracting leaks (see DNC Breach More Severe Than First Believed).
Even if people realize they've been compromised, however, many rarely take action to improve their defenses. "Our own results indicated that less than 3.1 percent who fall victim to hijacking subsequently enable any form of two-factor authentication after recovering their account," the researchers write in their paper.
Problem: Recycled Login Credentials
The researchers say their study is the first longitudinal measurement of how successful the acquisition of recycled login credentials is in taking over someone's Gmail account.
Google's search crawler was used to monitor five public blackhat subforums where stolen credentials are traded, plus 115 paste sites. Researchers also looked at the capabilities of more than 10,000 phishing kits and more than 15,000 keylogger binaries.
From March 2016 through March of this year, researchers identified potential credential-theft victims and found 1.9 billion usernames and passwords on the underground forums that resulted from data breaches. Phishing kits potentially compromised 12.4 million victims, and off-the-shelf keyloggers hit as many as 788,000 people, the study shows.
Whether an attacker used a keylogger or a phishing kit had a dramatic difference as to whether a Gmail account could be compromised.
"We find that victims of phishing are 400 times more likely to be successfully hijacked compared to a random Google user," the researchers write. "In comparison, this rate falls to 10 times for data breach victims and roughly 40 times for keylogger victims."
Unlike keyloggers, phishing kits collect a range of other useful information that helps defeat systems designed to detect suspicious login attempts. Some 83 percent of phishing kits collect geolocation information, which is often a strong indicator someone is trying to illegally access an account, the study shows.
Eighteen percent of phishing kits collect a phone number, while 16 percent collect user-agent data, which comprises various parameters encompassing the operating system in use, versions of software and web browser details, according to the study. That enables attackers to attempt to more closely mimic someone when trying to access an account.
Amazingly, keyloggers and phishing kits haven't changed much over the past decade. Many phishing kits, for example, for years have used the same PHP framework and reporting mechanisms for transmitting stolen credentials to attackers.
"We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s," the researchers write.
Use TFA and a Password Manager
The findings add hard data to confirm what was already largely known: Password reuse fuels successful credential theft schemes and puts users at great risk. Of all of the passwords the researchers collected, 7 to 25 percent could unlock a Gmail account.
Hardened defenses, including "unphishable" two-factor authentication, are the key to prevention.
Many two-factor authentication methods, however, still transmit a time-sensitive login code over SMS. But the U.S. National Institute of Standards and Technology has urged organizations to move away from using these one-time tokens, because an attacker could compromise someone's mobile number and intercept it (see I Hope That No One Gets My (SMS) Message in a Bottle).
Although two-factor codes are still at risk of being intercepted by malware, "our results suggest that the threat posed by credential leaks and phishing is orders of magnitude larger than keyloggers at present," the researchers say.
Password managers are another good solution, but haven't gained mass adoption.
"User education remains a major initiative for enhancing account security," the researchers write.