Editorial: Why the University of California-Berkley study on understanding the risk of stolen credentials is so important

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

A new 15 page study published by the University of California-Berkeley, using data gathered from Google as their case study, found 25 per cent of Google accounts within the data set were exposed and open to hackers looking to steal account information. Subsequently it was found that  phishing scams in the form of fake emails, are still the number one option for scammers to gain control of these accounts.

Setting the parameters of their study to a single year—March, 2016 to March of 2017—researchers constructed a framework of ready-made phishing kits and blackhat tools to put to the test. Using a broad spectrum that included multiple email providers and websites requiring verification and sign-in, researchers were able to identify 788,000 potential victims of keylogging; 12.4 million potential victims of phishing and 1.9 billion usernames and passwords exposed by data breaches.

While the study does state that the samples gathered are strictly a a small representation of nefarious underground activity, it does demonstrate the wide ranging credential theft occurring all over the internet. Partial reasoning for the study stems from the need to include outside factors in “ hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking.”

But what I find most interesting about the study itself  is not only the ways in which the 13 researchers gathered data but the three different “market segments,” most commonly used to pull of various types of scams:

Our study captures three market segments: (1) forums that trade credential leaks exposed via data breaches; (2) phishing kits that deceive users into submitting their credentials to fake login pages; and (3) off-the-shelf keyloggers that harvest passwords from infected machines.”

In the same paragraph it’s written that the amount of people affected are measured against each category, with the  conclusion of phishing scams as still the most popular way of gaining access to internet identities. But why is this important? Because despite the seemingly high-tech nature of scams and frauds today—looking to the recent NSA hacks as an example—it’s still the simple and basic principles of human psychology that are the most effective when it comes to stealing sensitive information; relying on human curiosity to open new emails or click on embedded links hasn’t changed and these new technologies have just made the deception harder to spot.

There is often a natural inclination  (I know there is with me) to assume that the terrible events we hear about in the news and read about online, won’t happen to us. This study, like the plethora of other related information that’s come before it, shows that we need to fight off this assumption and take necessary precautions to stay safe when using something as innocuous as email. To help visualize this sentiment the report goes into the behaviour of the hackers once they do gain access to Google or third party accounts that centralize large amounts of user data:

“Onaolapo et al. leaked 100 email accounts via paste sites, underground forums, and virtual machines infected with malware [31]. They found a majority of miscreants searched the email history of accounts for financial data, while a smaller set used the accounts for spamming. Bursztein et al. reported a similar strategy where hijackers searched each victim’s email history for financial records and credentials related to third-party services [5].”

 We know the above excerpt is nothing mind-blowing, since most of us instinctual know what hackers want when trying to gain access to our accounts. But when it comes to scams in connection with Twitter and Facebook later on in the paragraph, I was baffled:

“Gao et al. identified 57,000 Facebook accounts that created 200,000 spam posts; they estimated 97% of the accounts were in fact compromised [14]. Finally, Thomas et al. examined cascades of hijacking campaigns on Twitter [36]. They identified 13.8 million compromised accounts used for both infecting other users and for posting spam. These behaviors illustrate a variety of strategies for monetizing stolen credentials—spam, financial fraud, and stepping stone access to other accounts.”

The study goes in-depth about how the researchers managed to set up their automated collection framework in terms of gathering all of the user information that they were able to find which is fantastic. Furthermore the study also states that all of the affected accounts that they came across in their information gathering, they turned over to Google who in turn applied stringent security measures to re-establish privacy. You can read the full study here and I encourage everyone to do so.

The study should be read, not as a form of shaming yourself into bettering your security online because that doesn’t conduce change. Tangible and practical awareness does. And when 50 per cent of the affected accounts out of a whopping 1,092,567,042 credential leaks come from Google and Yahoo, it’s important to realize the very real possibility that you could become one of these statistics if you aren’t already. Cybersecurity and fraudulent activity online isn’t something we can choose to ignore any longer, wishing away the negative news to someone we don’t know doesn’t work.

Understanding how to protect yourself (not using the same password for every account for example) is the first step in minimizing the chances of being affected. So you don’t recognize the email or if something seems off when hovering over a specific link, fight that urge to click and you’ll be all the better for it.