ZDNet reported on November 10th that Google has released the results of a year-long investigation into Gmail account hijacking, which finds that phishing is far riskier for users than data breaches due to the additional information phishers collect.
While data breaches are certainly bad news for Internet users, Google's study finds that phishing is a much more dangerous threat to its users in terms of account hijacking.
Working with the University of California Berkeley, Google pointed its web crawlers at public hacker forums and paste sites to look for potential credential leaks. They also accessed several private hacker forums.
The blackhat search showed 1.9 billion credentials exposed by data breaches affecting users of MySpace, Adobe, LinkedIn, Dropbox and several dating sites. The vast majority of the credentials found were being traded on private forums.
In spite of the large numbers, only seven percent of credentials exposed in data breaches match the password currently being used by its billion Gmail users, whereas a quarter of 3.8 million credentials exposed in phishing attacks match the current Google password. That's an impressive stat.
The study found that victims of phishing are 400 times more likely to have their account hijacked than a random Google user, a figure that drops to 10 times for victims of a data breach. The difference? The type of information that phishing kits collect.
Phishing kits contain prepackaged fake login pages for popular and valuable sites, such as Gmail, Yahoo, Hotmail, and online banking. They're often uploaded to compromised websites, and automatically e-mail captured credentials to the attacker's account.
Phishing kits allow for a higher rate of account hijacking because they capture the same information that Google uses in its risk assessment when users login, such as the victim's geolocation, secret questions, phone numbers, and device identifiers.
The researchers found that 83 percent of 10,000 phishing kits collect victims' geolocation, while 18 percent collect phone numbers. By comparison, fewer than 0.1 percent of keyloggers collect phone details and secret questions.
The study found that 41 percent of phishing kit users are from Nigeria based on the geolocation of the last sign-in to a Gmail account used to receive stolen credentials. The next biggest group is US phishing-kit users, who account for 11 percent.
Gmail users also represent the largest group of phishing victims, accounting for 27 percent of the total in the study. Yahoo phishing victims follow at 12 percent. However, Yahoo and Hotmail users are the largest group of leaked credential victims, both representing 19 percent, followed by Gmail at 12 percent.
They also found most victims of phishing were from the U.S., whereas most victims of keyloggers were from Brazil. Brazil? Go figure.
The researchers noted (doh) that two-factor authentication can mitigate the threat of phishing, but they acknowledged that ease of use is an obstacle to adoption. Gee, do you think???
Hat tip to Dave Ries.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology