1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

11/12/2017

0 Comments

How to Prevent Account Takeover or Hijacking

 
Prevent account takeover

How to Prevent Account Takeover or Hijacking

A new study conducted by Google and University of California (UC) delved into the question which among these three cyberattacks – phishing, keylogging and third-party data breach – most likely results in account takeover or hijacking.

From March 2016 to March 2017, researchers at Google and UC examined 12.4 million potential victims of phishing kits, 788,000 potential victims of keyloggers and 1.9 billion usernames and passwords exposed via third-party data breaches traded on the black market.

The Google and UC study found that victims of phishing kits are more likely to have their account taken over by cybercriminals as these kits harvest the same information that Google uses in verifying every time a user logs into his or her email account. Details that are harvested by phishing kits include the victim's secret questions, geolocation, phone numbers and device identifiers.

The study found that accounts of victims of phishing are 400 times more likely to be successfully hijacked compared to a random Google user. The likelihood of account takeover is far lesser for keylogger victims (40 times likely to be hijacked) and third-party data breach victims (10 times). Researchers found 25,000 blackhat tools used for phishing and keylogging.

“We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials,” the researchers wrote in their paper “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials”. “Using Google as a case study, we observe only 7% of victims in third party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.”

Once an account is taken over, the attacker can download all of the victim’s private data; remotely wipe the victim’s data and backups; impersonate the victim; reset the victim’s passwords and use this hijacked account as a stepping stone to access the victim’s other online accounts.

Third-Party Data Breach

Most of the 1.9 billion usernames and passwords exposed via third-party data breaches in the Google and UC study came from MySpace, Badoo, Adobe, LinkedIn, VK, Tumblr and Dropbox. The study revealed that the passwords listed below are the most commonly used passwords by victims of phishing, keylogging and third-party data breach:

  • 123456
  • password
  • 123456789
  • abc123
  • password1
  • homelesspa
  • 111111
  • qwerty
  • 12345678
  • 1234567

These data leaks which date back to 2012–2014 appeared in public

blackhat forums, paste sites and sites like leakedsources.com, leakbase.pw and breachalarm.com – sites that charge those who would like to find out if their accounts are compromised. Victims of third-party data breach were mostly from the US (39%), India (8%) and Brazil (2.6%).

The importance of an account, in particular, an email address and its login details can’t be undermined. “As the digital footprint of Internet users expands to encompass social networks, financial records, and data stored in the cloud, often a single account underpins the security of this entire identity – an email address,” the researchers said.

Phishing Kit

The phishing kit referred to in the Google and UC study refers to prepackaged fake login page for a popular site like Gmail, Yahoo and online banking. Phishing kits are often uploaded to compromised websites and automatically harvest credentials of victims. Researchers found that phishing kit variants were uploaded to fake login pages of Yahoo, Hotmail, Gmail, Workspace Webmail, Dropbox, Google Drive, Docusign, ZoomInfo, Office 365 and AOL.

The study showed that the most popular phishing kit that utilized fake login pages for popular email providers – Yahoo, Hotmail, AOL and Gmail – generated 1,448,890 stolen credentials. Based on the last sign-in to email accounts receiving stolen credentials, the top 3 phishing kit users are those from Nigeria (41%), United States (11%) and Morocco (7.6%). Victims of phishing were mostly from the US (50%), South Africa (4%) and Canada (3%).

Google in a blog post said, “By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.”

Of the three forms of cyberattacks – phishing, keylogging and third-party data reach, phishing is the most destructive as this doesn’t only yield a password, but other sensitive data that Google itself may ask when verifying an account of a holder such as IP address, location, phone numbers and device model.

Keylogger

Keylogger is a malicious software that tracks and records every keystroke entry you make on your computer and often without your knowledge or permission. Attackers use keyloggers to capture sensitive data like financial information or passwords, which are then sent to third parties for criminal use. Keyloggers can steal your on-device passwords, harvest clipboard content, screenshot your online activities and monitor your keystrokes.

Based on the study, the top 10 keylogger families are the following: HawkEye, Cyborg Logger, Predator Pain, Limitless Stealer, iSpy Keylogger, Olympic Vision, Unknown Logger, Saint Andrew’s, Infinity Logger and Redpill Spy. HawkEye, in particular, sent over 400,000 snooping reports to 470 emails believed to be managed by attackers.

The top keylogger users based on the last sign-in to email accounts receiving stolen credentials came from Nigeria (11%), Brazil (7.8%) and Senegal (7.3%). Victims of keyloggers were mostly from Brazil (18%), India (10%) and US (8%).

Preventive Measures

Here are some of the ways to stop account takeover or hijacking:

  1. Use a Strong Password

Attackers have already known our “1234567” and “password” passwords. It’s time to use less obvious passwords. Cybersecurity, however, needs to move beyond strong passwords.

  1. Use Two-Factor Authentication

To ward off attackers, many online businesses today safeguard their accounts through two-factor authentication. Two-factor authentication is when you use something you know, for example a password, and also something you have, for example a smartphone, whereby after entering your password, you either received an SMS with an additional code, or will use an app to get the code to finalize the logon process. In addition, some online software providers and social networks already force a multi-step authentication. For instance, when Google detects that you logged in into your account from a different device or different location, it will ask additional information only you would know, before granting access.

As shown by the destructive nature of phishing, even a two-way factor authentication isn’t enough to ward off attackers as they can harvest sensitive information that Google itself may require when verifying an account.

Contact us today to learn more about how to protect your enterprise accounts from takeover or hijacking.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2025
    February 2025
    January 2025
    November 2024
    October 2024
    September 2024
    July 2024
    June 2024
    April 2024
    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    AI Security
    Artificial Intelligence
    ATP
    Awareness Training
    Blockchain
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cybercrime
    Cyber Espionage
    Cyber Insurance
    Cyber Security
    Cybersecurity
    Cybersecurity Audit
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    Data Privacy
    DDoS
    Email Security
    Endpoint Protection
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    Incident Management
    Insider Threat
    IoT
    Machine Learning
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third Party Risk
    Third-Party Risk
    VCISO
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
SME CyberShield
​Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2025 Driz Group Inc. All rights reserved.
Photo from GotCredit