Why you should fear phishing more than data breaches

When it comes to account compromise, phishing poses a greater threat than data breaches, say researchers at Google and UC Berkeley.

For some people, Google controls most of their identity online, and losing access to that critical account could be devastating. A recent study from Google and UC Berkeley examined the various ways accounts are compromised, and determined that phishing attacks – not data breaches – pose the most risk to users when it comes to lost access.

Google's study lasted a year, from March 2016 until March 2017, and looked to better understand how attackers take over accounts. While phishing, keylogging, and data breaches impact everyone, Google focused on themselves as the case study.

"What we learned from the research proved to be immediately useful," two of the study's authors, Kurt Thomas and Angelika Moscicki, explained. In fact, the data helped secure some 67 million Google accounts before they could be abused.

Google's study includes data taken from 25,000 malicious tools used for phishing and keylogging, which enabled the researchers to identify 788,000 compromised credentials due to keyloggers; 12 million credentials compromised via phishing; and 3.3 billion credentials exposed due to data breaches.

Google said the majority of those using phishing kits and keyloggers to compromise credentials are concentrated in Nigeria, followed by the United States, Morocco, South Africa, United Kingdom, and Malaysia.

That finding hits close to home. Recently, CSO has been tracking a number of Office 365 phishing attacks, which use compromised accounts to further their reach. Many of the attacks that landed in our inboxes can be sourced back to Nigeria.

While some phishing kits are basic, they serve an essential function; namely, they often lead users to believe there is a problem, and look just convincing enough to fool someone into sharing their password and other identifying information.

Some of the phishing kits observed by Google were collecting additional details, including IP address, device make and model, phone numbers, and location – things Google might request for ID verification.

Data collected by Google shows that 80-percent of all the phishing kits observed targeted usernames, passwords, and geolocation; followed by phone numbers and device details. A smaller subset of the phishing kits also targeted secret questions, full names, credit card data, and Social Security Numbers.

For this reason, Google explained, it was determined that phishing posed the greatest threat, followed closely by keylogging.

Based on the data, Google said that only seven percent of the passwords exposed by a data breach were still being used by their users, compared to 12 or 25-percent of the passwords exposed by phishing or keylogging.

As such, in the grand scheme of things, while having a large impact on services where password reuse is common, data breaches ranked last.

During the study's timeline, Google determined that, unfortunately, most users who fell victim to a phishing attack remained unaware that their account was at risk. However, one upside to the data collected is that most victims are only impacted once, as only two percent of those in the dataset were successfully phished a second time.

Taking all of the data into account, Gmail, followed by Yahoo and Hotmail respectively, were the top three domains for phishing and keylogging victims. A majority of the phishing victims reside in the United States, while the keylogging victims are mostly in Brazil and India.

Ranked in order, Google's study shows that Gmail, Yahoo, and Hotmail were the top brands impersonated, followed by workspace email accounts, Dropbox, Google Drive, DocuSign, ZoomInfo, Office 365, and AOL.

The study also makes note that while two-factor authentication would help mitigate problems associated with phishing, there are serious hurdles to wide-adoption, including ease of use, recovery from loss, and getting consumers to trust third-parties.

Google presented their findings during the Conference on Computer and Communications Security (CCS), a full copy is available online.

Show Comments