How did someone hijack your Gmail? Phishing, keylogger or password reuse, we're guessing

If you run a website with user accounts, take a look at this research, ta

27 Reg comments Got Tips?

Google has teamed up with computer scientists at the University of California, Berkeley, to find out how exactly hijackers take over its users' accounts.

The eggheads peered into online black markets where people's login details are bought and sold to get an idea of the root cause of these account takeovers and the subsequent theft of people's sensitive personal information. Apparently, just over one in ten netizens have reported attempts by miscreants to commandeer their social network and email accounts.

Unsurprisingly, passwords are mainly stolen via phishing attacks or keyloggers, or are reused by people on multiple websites and services that are later hacked, spilling the keys to their other accounts. In a report published on Thursday, the team noted:

Our research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging. In total, these sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.

While our study focused on Google, these password stealing tactics pose a risk to all account-based online services. In the case of third-party data breaches, 12 per cent of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7 per cent were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25 per cent of attacks yield a valid password.

However, because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity. We found 82 per cent of blackhat phishing tools and 74 per cent of keyloggers attempted to collect a user’s IP address and location, while another 18 per cent of tools collected phone numbers and device make and model.

By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.

Per Thorsheim‏, an infosec bod who founded the PasswordsCon conference, praised Google’s “solid research."

“I'm impressed," he told us. “This is very useful for both research and practical improvements. Having said that I'm afraid many don't have the mandate, budget or understanding that this isn't just a threat to Google, it is a threat to almost anything online."

Google has applied insights gleaned from its research to better protect its user accounts, we're told: for example, through its recently announced advanced protection program that uses two-factor authentication tokens. It hopes other online services take a look at the findings and shore up their defenses, too. Above all, Google's indirectly saying: if your Gmail account gets hacked, it's your fault for losing your password, and not because we did a Yahoo!

The research was presented at this year's Conference on Computer and Communications Security (CCS) conference under the title, Data breaches, phishing, or malware? Understanding the risks of stolen credentials. ®


Keep Reading

Google Firebase Cloud Messaging offers spam tier for some – no account required, just knowledge of bad security

All that's necessary is willingness to abuse server keys exposed in apps and some technical know-how

Shared memory vulnerability in IBM's Db2 database could let nefarious insiders wreak havoc – so get patching

Lack of protections around trace facility gives local users read and write access

If you're despairing at staff sharing admin passwords, look on the bright side. That's CIA-grade security

Internal report confirms what we all feared: Lax controls led to WikiLeaks Vault 7 hack tools blab

Homeland Security demands a 911 for reporting security holes in federal networks: 'Vulns in internet systems cause real-world impacts'

Great – and who will be the first responders?

Alarming news: ADT to flog Nest smart home kit after Google ploughs $450m into corporate security dinosaur

Resell agreement set up amid plans to build next gen of home automation and security gear

GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin

Maybe it's time to get it gone

Here's US Homeland Security collaring a suspected arsonist after asking Google for the IP addresses of folks who made a specific search

Don't worry, says the internet giant, this doesn't happen too often

So you've set up MFA and solved the Elvish riddle, but some still think passwords alone are secure enough

OK, a third agreed with Thales when it asked the question

Biting the hand that feeds IT © 1998–2020