There are billions of stolen credentials available for purchase on the black market dating back perhaps 20 years. Their value is debatable because some users change their passwords regularly, or at least when they’ve been notified of a data breach. But what are the odds an attacker can use credentials to break into an email account?
Pretty good, suggests an academic study funded in part by Google and researchers at the University of California and the International Computer Science Institute. The researchers compared a huge load of stolen passwords to a sample of Gmail accounts and found as many as 25 per cent could match a Google account.
One interesting part of the study showed that victims of phishing attacks were more likely to have a Gmail account hacked than those whose credentials were stolen by keyloggers or in a data breach.
The study covered a 12 month period ending March of this year. During that time researchers found 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums.
“We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials,” say the authors. Using Google as a case study, we observe only 7 per cent of victims in third party data breaches have their current Google password exposed, compared to 12 per cent of keylogger victims and 25 per cent of phishing victims. Hijackers also have varying success at emulating the historical login behavior and device profile of targeted accounts.
“We find victims of phishing are 400 times more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10 times for data breach victims and roughly 40x for keylogger victims. This discrepancy results from phishing kits actively stealing risk profile information to impersonate a victim, with 83 per cent of phishing kits collecting geolocations, 18 per cent phone numbers, and 16 per cent User-Agent data.”
The most popular phishing kit—a website emulating Gmail, Yahoo, and Hotmail logins—was used by 2,599
blackhat actors to steal 1.4 million credentials, researchers found. The most popular keylogger—HawkEye—was used by 470 blackhat actors to generate 409,000 reports of user activity on infected devices.
As a by-product the research shows the global reach of the underground economy for credential theft and the necessity of a defense-in-dept to authenticating users.
Researchers didn’t pay for any of the stolen credentials used in the study. Credential leaks sold privately on underground markets eventually surface for free the report says, on paste sites, blackhat forums and sometimes on the public Internet. The list they used also included credentials from private, members-only forums. Admittedly, this meant that credentials that were compressed, password protected, or encrypted weren’t included. Many were hashed, but researchers were able to invert some to get their final list.
Infosec pros will be disappointed — but not surprised — that the usual suspects appeared as common passwords: 123456, password, 123456789, abc123, password1 and 111111. However, while these are the most common, they were each found to be less than one per cent in the sample. It isn’t clear whether this means more people are using more secure passwords, and in particular whether people are using more secure passwords for corporate and personal banking and less secure ones on consumer forums and the like. Nevertheless, it shows a hacker can still take a chance and test the usual suspects when trying a brute force attack.
To get a grip of the size of the credentials theft problem, the researchers figured they could identify over 1,484 billion unique user name, password combinations that belong to over 1,092 billion unique user names. They figured attackers using phishing kits potentially harvest 234,887 valid credentials a week, with those using keyloggers adding another 14,879 a week. Of course, anyone grabbing a full load of usernames and passwords from a data theft adds to that.
Not surprisingly the authors conclude that one solution is to educate users about the importance of password managers — which is controversial because they are a potential single point of failure — as well as two-factor authentication.