How to Prevent Account Takeover or Hijacking
A new study conducted by Google and University of California (UC) delved into the question which among these three cyberattacks – phishing, keylogging and third-party data breach – most likely results in account takeover or hijacking.
From March 2016 to March 2017, researchers at Google and UC examined 12.4 million potential victims of phishing kits, 788,000 potential victims of keyloggers and 1.9 billion usernames and passwords exposed via third-party data breaches traded on the black market.
The Google and UC study found that victims of phishing kits are more likely to have their account taken over by cybercriminals as these kits harvest the same information that Google uses in verifying every time a user logs into his or her email account. Details that are harvested by phishing kits include the victim's secret questions, geolocation, phone numbers and device identifiers.
The study found that accounts of victims of phishing are 400 times more likely to be successfully hijacked compared to a random Google user. The likelihood of account takeover is far lesser for keylogger victims (40 times likely to be hijacked) and third-party data breach victims (10 times). Researchers found 25,000 blackhat tools used for phishing and keylogging.
“We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials,” the researchers wrote in their paper “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials”. “Using Google as a case study, we observe only 7% of victims in third party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.”
Once an account is taken over, the attacker can download all of the victim’s private data; remotely wipe the victim’s data and backups; impersonate the victim; reset the victim’s passwords and use this hijacked account as a stepping stone to access the victim’s other online accounts.
Third-Party Data Breach
Most of the 1.9 billion usernames and passwords exposed via third-party data breaches in the Google and UC study came from MySpace, Badoo, Adobe, LinkedIn, VK, Tumblr and Dropbox. The study revealed that the passwords listed below are the most commonly used passwords by victims of phishing, keylogging and third-party data breach:
These data leaks which date back to 2012–2014 appeared in public
blackhat forums, paste sites and sites like leakedsources.com, leakbase.pw and breachalarm.com – sites that charge those who would like to find out if their accounts are compromised. Victims of third-party data breach were mostly from the US (39%), India (8%) and Brazil (2.6%).
The importance of an account, in particular, an email address and its login details can’t be undermined. “As the digital footprint of Internet users expands to encompass social networks, financial records, and data stored in the cloud, often a single account underpins the security of this entire identity – an email address,” the researchers said.
The phishing kit referred to in the Google and UC study refers to prepackaged fake login page for a popular site like Gmail, Yahoo and online banking. Phishing kits are often uploaded to compromised websites and automatically harvest credentials of victims. Researchers found that phishing kit variants were uploaded to fake login pages of Yahoo, Hotmail, Gmail, Workspace Webmail, Dropbox, Google Drive, Docusign, ZoomInfo, Office 365 and AOL.
The study showed that the most popular phishing kit that utilized fake login pages for popular email providers – Yahoo, Hotmail, AOL and Gmail – generated 1,448,890 stolen credentials. Based on the last sign-in to email accounts receiving stolen credentials, the top 3 phishing kit users are those from Nigeria (41%), United States (11%) and Morocco (7.6%). Victims of phishing were mostly from the US (50%), South Africa (4%) and Canada (3%).
Google in a blog post said, “By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.”
Of the three forms of cyberattacks – phishing, keylogging and third-party data reach, phishing is the most destructive as this doesn’t only yield a password, but other sensitive data that Google itself may ask when verifying an account of a holder such as IP address, location, phone numbers and device model.
Keylogger is a malicious software that tracks and records every keystroke entry you make on your computer and often without your knowledge or permission. Attackers use keyloggers to capture sensitive data like financial information or passwords, which are then sent to third parties for criminal use. Keyloggers can steal your on-device passwords, harvest clipboard content, screenshot your online activities and monitor your keystrokes.
Based on the study, the top 10 keylogger families are the following: HawkEye, Cyborg Logger, Predator Pain, Limitless Stealer, iSpy Keylogger, Olympic Vision, Unknown Logger, Saint Andrew’s, Infinity Logger and Redpill Spy. HawkEye, in particular, sent over 400,000 snooping reports to 470 emails believed to be managed by attackers.
The top keylogger users based on the last sign-in to email accounts receiving stolen credentials came from Nigeria (11%), Brazil (7.8%) and Senegal (7.3%). Victims of keyloggers were mostly from Brazil (18%), India (10%) and US (8%).
Here are some of the ways to stop account takeover or hijacking:
Attackers have already known our “1234567” and “password” passwords. It’s time to use less obvious passwords. Cybersecurity, however, needs to move beyond strong passwords.
To ward off attackers, many online businesses today safeguard their accounts through two-factor authentication. Two-factor authentication is when you use something you know, for example a password, and also something you have, for example a smartphone, whereby after entering your password, you either received an SMS with an additional code, or will use an app to get the code to finalize the logon process. In addition, some online software providers and social networks already force a multi-step authentication. For instance, when Google detects that you logged in into your account from a different device or different location, it will ask additional information only you would know, before granting access.
As shown by the destructive nature of phishing, even a two-way factor authentication isn’t enough to ward off attackers as they can harvest sensitive information that Google itself may require when verifying an account.
Contact us today to learn more about how to protect your enterprise accounts from takeover or hijacking.
Steve E. Driz