Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen CredentialsData Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials
  1. publications
  2. anti-abuse

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials

Available Media

Publication (Pdf)

Slides (pdf)

ConferenceComputer and Communications Security
AuthorsKurt Thomas , Frank Li , Ali Zand ,
Citation

Bibtex Citation

@inproceedings{ THOMAS2017DATA,title = {Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials},author = {"Kurt, Thomas" and "Frank, Li" and "Ali, Zand" and "Jacob, Barrett" and "Juri, Ranieri" and "Luca, Invernizzi" and "Yarik, Markov" and "Oxana, Comanescu" and "Vijay, Eranti" and "Angelika, Moscicki" and "Daniel, Margolis" and "Vern, Paxson" and "Elie, Bursztein"},booktitle = {Computer and Communications Security},year = {2017},organization = {ACM}}

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-theshelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums.

Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account.

For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.

Google Slides

Related

newsletter signup slide

Get cutting edge research directly in your inbox.

newsletter signup slide

Get cutting edge research directly in your inbox.