• by Ray Schultz , November 13, 2017

Email users are being threatened by massive credential theft, according to a study by Google, the University of California, Berkeley and the International Computer Science Institute. And phishing is the main way of getting to them. 

Phishing victims are 400 times more likely to be hijacked compared to random Google users, Google reports.  

In contrast, the rate is ten times more likely for data breach victims and 40 times more likely for keylogger victims.

Google studied 778,000 potential victims of keylogging, 12.4 million potential victims of phishing, and 1.9 billion user names and passwords exposed by data breaches in the year between March 2016 and March 2017, it says.

The risk of a full email takeover depends on how the attackers acquired a victim’s credentials, Google found.

For example, only 7% of victims in third-party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims, it states.

According to Google, 4,069 phishing kits and 52 keyloggers were responsible for the active attacks.

Phishing kits are “ready-to-deploy” packages for “creating and configuring phishing content that also provide built-in support for reporting stolen credentials,” Google writes.

The most popular phishing kit is a website that emulates Gmail, Yahoo, and Hotmail logins, Google continues.

This kit was used by 2,599 blackhat actors to steal 1.4 million credentials, Google notes.

The most popular keylogger tool was the off-the-shelf product HawkEye. It was used by “470 blackhat actors to generate 409.000 reports of user activity on infected devices,” Google writes.

HawkEye and Predator Pain provide “built-in functionality to steal on-device password stores, harvest clipboard content, and screenshot a victim’s activity in addition to monitoring keystrokes,” Google points out.

All this, in turn, is feeding a massive data blackmarket. 

Google adds that the main home for phishers and keyloggers is Nigeria, followed by other African nations and locales in Southeast Asia.

Phishing victims are primarily located in the United States and Europe, whereas keylogging victims are in Turkey, the Philippines, Malaysia, Thailand, and Iran, Google states.

Google offers the caveat that its dataset is “strictly a sample of underground activity, yet even our sample demonstrates the massive scale of credential theft occurring in the wild.”

Google recently announced its Advanced Protection program for users at elevated risk of attack.