How did someone hijack your Gmail? Phishing, keylogger or password reuse, we're guessing

Google has teamed up with computer scientists at the University of California, Berkeley, to find out how exactly hijackers take over its users' accounts.

The eggheads peered into online black markets where people's login details are bought and sold to get an idea of the root cause of these account takeovers and the subsequent theft of people's sensitive personal information. Apparently, just over one in ten netizens have reported attempts by miscreants to commandeer their social network and email accounts.

Unsurprisingly, passwords are mainly stolen via phishing attacks or keyloggers, or are reused by people on multiple websites and services that are later hacked, spilling the keys to their other accounts. In a report published on Thursday, the team noted:

Our research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging. In total, these sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.

While our study focused on Google, these password stealing tactics pose a risk to all account-based online services. In the case of third-party data breaches, 12 per cent of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7 per cent were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25 per cent of attacks yield a valid password.

However, because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity. We found 82 per cent of blackhat phishing tools and 74 per cent of keyloggers attempted to collect a user’s IP address and location, while another 18 per cent of tools collected phone numbers and device make and model.

By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.

Per Thorsheim‏, an infosec bod who founded the PasswordsCon conference, praised Google’s “solid research."

“I'm impressed," he told us. “This is very useful for both research and practical improvements. Having said that I'm afraid many don't have the mandate, budget or understanding that this isn't just a threat to Google, it is a threat to almost anything online."

Google has applied insights gleaned from its research to better protect its user accounts, we're told: for example, through its recently announced advanced protection program that uses two-factor authentication tokens. It hopes other online services take a look at the findings and shore up their defenses, too. Above all, Google's indirectly saying: if your Gmail account gets hacked, it's your fault for losing your password, and not because we did a Yahoo!

The research was presented at this year's Conference on Computer and Communications Security (CCS) conference under the title, Data breaches, phishing, or malware? Understanding the risks of stolen credentials. ®