Internet giant Google has teamed up with the University of California, Berkeley to better understand how hijackers manage to trick users into taking over their online accounts via keyloggers, phishing attacks, or by using data exposed in large breaches.
By tracking black markets that traded third-party password breaches, as well as blackhat tools for phishing and keylogging, the team found that 788,000 credentials were stolen via keyloggers between March 2016 and March 2017.
During the same period, 12 million credentials were stolen via phishing, and 3.3 billion credentials were exposed by third-party breaches.
Looking at data breaches only, the team found that 12% of the exposed records included a Gmail address serving as a username and a password, while 7% of those passwords proved valid for reuse.
Attacks leveraging phishing schemes and keyloggers also successfully targeted Google accounts, with 12-25% of attacks yielding a usable password.
To its defense, Google notes that, while its study focused on its own user base, “these password stealing tactics pose a risk to all account-based online services.”
Google’s research further uncovered that, because it uses various safeguards to prevent hackers from stealing user credentials, hijackers are employing increasingly sophisticated methods to try to collect sensitive data that the company may request when verifying an account holder’s identity.
In other words, both the vendor and the user must guard against scams.
Google lists a number of safeguards that users can leverage to detect phishing attacks, but doesn’t mention dedicated anti-malware solutions with anti-spam and anti-phising mechanisms.
“We found 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model,” write Kurt Thomas, of the Anti-Abuse Research team, and Angelika Moscicki, of the Account Security team.
“By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches,” Google says.
Google is publishing this information so other vendors of online services can use the data to better secure their offerings.
The company further notes that all account-based online services should “supplement their authentication systems with more protections beyond just passwords.”