Phishing has long been recognised as one of the most effective tools in an attacker’s arsenal. Now, extensive new research based on a year’s worth of data provides further empirical proof. Criminals find phishing far more effective than keyloggers or data breaches for obtaining credentials and accessing someone’s account.

Between March 2016 and March 2017, 13 researchers from Google, the University of California at Berkley and the International Computer Science Institute, examined data culled from three sources. These were: online black markets trading credentials that had been exposed in data breaches; phishing kits that trick victims into entering their details on fake login pages; and off-the-shelf keyloggers that grab passwords from infected machines.

The team identified 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums. They then measured the volume of victims affected by each source of credential theft.

Thieves’ tactics

The original 12-page study is available as a PDF and it’s well worth a Google. The researchers said:

“Through a combination of password re-use across thousands of online services and targeted collection, we estimated 7-25 per cent of stolen passwords in our dataset would enable an attacker to log in to a victim’s Google account and thus take over their online identity due to transitive trust,” the report said. The researchers described their work as: “the first longitudinal measurement study of how miscreants obtain stolen credentials and subsequently bypass risk-based authentication schemes to hijack a victim’s account”.

Although the study focused on Google’s Gmail service, the researchers said that attackers’ password-stealing tactics threaten all account-based online services. “In the case of third-party data breaches, 12 per cent of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7 per cent were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25 per cent of attacks yield a valid password.”

Deciphering the data

There are lots of ways to interpret the findings. ZDnet’s account of the research points out the contrast between phishing and data breaches. Although breaches are increasingly high profile and are widely reported, they nevertheless pose far less risk to users than phishing. Sophos’ Naked Security blog used the research to call for multi-factor authentication as a way of strengthening protection for email accounts.

 The Register quoted the security expert Per Thorsheim, who praised the research. “This is very useful for both research and practical improvements. Having said that I’m afraid many don’t have the mandate, budget or understanding that this isn’t just a threat to Google, it is a threat to almost anything online,” he said.

Poor password hygiene

SC Magazine’s opening paragraph drew attention to another finding from the research. A byproduct of trawling online markets and examining data leaks was uncovering the passwords that people use the most. The top five, in depressingly familiar order, were: 123456, password, 123456789, abc123 and password1.

John Pescatore, a director of the SANS Institute, said reusing passwords across many accounts helps make phishing so effective. He called on businesses to use two-factor authentication to protect their accounts. In a blog earlier this year about good password practice, BH Consulting’s Brian Honan recommended using pass phrases instead. Alternatively, he suggested using a password manager as a way of handling logins securely across multiple online services.