A recent Google study has revealed that phishing attacks via fake emails pose the greatest threat to people, followed by keyloggers and third-party breaches as account hacking increases globally.
The study, which was conducted by researchers from Google and UC Berkeley, also revealed that hundreds of millions of usernames and passwords are currently being traded on black markets that can be used to access Google accounts.
Google’s study lasted a year, from March 2016 until March 2017, and examined how attackers take over accounts. The Internet firm focused on themselves as the case study and used carefully controlled internal “proprietary data” as to see whether the hacked passwords and other accounts traded on hacker forums and the dark web actually work on real accounts.
“Our research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing attacks and keylogging. In total, these sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches,” said Google in a blog post.
Google said the majority of those using phishing kits and keyloggers to compromise credentials are concentrated in Nigeria, followed by the United States, Morocco, South Africa, United Kingdom, and Malaysia.
The study also highlighted an alarming trend that users have been using the same password across multiple accounts, which make them even more vulnerable. “Through a combination of password re-use across thousands of online services and targeted collection, we estimated 7–25 percent of stolen passwords in our dataset would enable an attacker to log in to a victim’s Google account and thus take over their online identity due to transitive trust.”
Data collected by Google shows that 80 percent of all the phishing kits observed targeted usernames, passwords, and geolocation; followed by phone numbers and device details. A smaller subset of the phishing attacks also targeted secret questions, full names, credit card data, and Social Security Numbers.
The researchers say there are a few easy steps companies like Google and users can take to protect themselves.
It would also be ideal to implement two-factor authentication, which means that when logging in, a user would need a special security key or to type in a code sent through a text message to gain full access to an account.
The researchers also recommend using a password manager, which creates a new random password for each site — so if one site is breached, then hackers don’t have access to your other accounts, especially email.
Finally, Google highlighted that they scan their suite of products for suspicious actions performed by hijackers on a regular basis. “When we find any, we lock down the affected accounts to prevent any further damage as quickly as possible. We prevent or undo actions we attribute to account takeover, notify the affected user, and help them change their password and re-secure their account into a healthy state.”