A Google study found that phishing attacks are more efficient than data breaches at getting criminals into victim's account and that the average person still has can't pick a good pass word.
The recent study was carried out in conjunction with University of California at Berkley and the International Computer Science Institute. Researchers conducted a year-long investigation into Gmail account hijacking and found hackers were more likely to obtain access to accounts using credentials obtained via phishing.
The stolen credentials also revealed a bit about the victims. Mainly that users are still practicing poor cybersecurity hygiene with weak passwords. Among all plain text leaks, the most popular bad passwords are still being used with passwords including: “123456”, “password”, “123456789”, “111111”, and “qwerty” topping the list. These same passwords were also among the top 25 most common passwords of 2016.
The groups also looked into how more than 25,000 criminal hacking tools and found threat actors manage to steal nearly 250,000 web credentials every week.
When credentials were leaked via data breaches there was only a 6.9 percent chance that criminals would get a password match, compared to phishing attacks where there is a 24.8 percent password match rate, and Keylogger software which has an 11.9 percent password match rate.
Phishing attacks can lure users into divulging more information than credentials obtained via data leaks and allow cybercriminals more opportunities to leverage specific information needed for account compromises.
Lisa Baergen, director at NuData Security said the study's results raise questions about the need for employer policies that prohibit the employee's use of off-duty passwords for corporate email accounts, and likewise, the use of workplace emails as secondary verification for personal accounts.
“Cyber crime isn't ‘loners in the basement' anymore – it's highly organised, well-resourced, and technologically advanced,” Baergen said. “The news of ongoing, massive-scale theft of Gmail credentials should be a wake-up call that it's time to fundamentally re-think authentication, and incorporate continuous validation techniques data that can't be mimicked, such as passive biometrics.”
Employees often overlook the risks of navigating malicious sites, Bitglass Vice President Product Management Mike Schuricht said.
“When phishing kits provide a site that looks legitimate, many employees willingly enter their credentials on the spoofed login page,” Schuricht said. “As cloud and mobile are adopted in the enterprise, organizations need tools to achieve visibility, identify risky destinations, and prevent phishing attacks in real time.”
Overall, the study identified 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums.
Google also found that blocking login attempts that fail to match a user's historical login behavior or device profile helps mitigate the risk of data breaches and keyloggers, and to a lesser extent phishing, the study said.