Email users are being threatened by massive credential theft, according to a study by
Google, the University of California, Berkeley and the International Computer Science Institute. And phishing is the main way of getting to them.
Phishing victims are 400 times more
likely to be hijacked compared to random Google users, Google reports.
In contrast, the rate is ten times more likely for data breach victims and 40 times more likely for keylogger
victims.
Google studied 778,000 potential victims of keylogging, 12.4 million potential victims of phishing, and 1.9 billion user names and passwords exposed by data breaches in the year
between March 2016 and March 2017, it says.
The risk of a full email takeover depends on how the attackers acquired a victim’s credentials, Google found.
For example, only 7% of
victims in third-party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims, it states.
According to Google, 4,069
phishing kits and 52 keyloggers were responsible for the active attacks.
Phishing kits are “ready-to-deploy” packages for “creating and configuring phishing content that also
provide built-in support for reporting stolen credentials,” Google writes.
The most popular phishing kit is a website that emulates Gmail, Yahoo, and Hotmail logins, Google
continues.
This kit was used by 2,599 blackhat actors to steal 1.4 million credentials, Google notes.
The most popular keylogger tool was the off-the-shelf product HawkEye. It was used
by “470 blackhat actors to generate 409.000 reports of user activity on infected devices,” Google writes.
HawkEye and Predator Pain provide “built-in functionality to steal
on-device password stores, harvest clipboard content, and screenshot a victim’s activity in addition to monitoring keystrokes,” Google points out.
All this, in turn, is feeding a
massive data blackmarket.
Google adds that the main home for phishers and keyloggers is Nigeria, followed by other African nations and locales in Southeast Asia.
Phishing victims
are primarily located in the United States and Europe, whereas keylogging victims are in Turkey, the Philippines, Malaysia, Thailand, and Iran, Google states.
Google offers the caveat that its
dataset is “strictly a sample of underground activity, yet even our sample demonstrates the massive scale of credential theft occurring in the wild.”
Google recently announced its
Advanced Protection program for users at elevated risk of attack.