Data breaches, phishing, or malware? Understanding the risks of stolen credentials
Venue
(2017)
Publication Year
2017
Authors
Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Daniel Margolis, Vern Paxson, Elie Bursztein
BibTeX
Abstract
In this paper, we present the first longitudinal measurement study of the
underground ecosystem fueling credential theft and assess the risk it poses to
millions of users. Over the course of March, 2016--March, 2017, we identify 788,000
potential victims of off-the-shelf keyloggers; 12.4 million potential victims of
phishing kits; and 1.9 billion usernames and passwords exposed via data breaches
and traded on blackmarket forums. Using this dataset, we explore to what degree the
stolen passwords---which originate from thousands of online services---enable an
attacker to obtain a victim's valid email credentials---and thus complete control
of their online identity due to transitive trust. Drawing upon Google as a case
study, we find 7--25\% of exposed passwords match a victim's Google account. For
these accounts, we show how hardening authentication mechanisms to include
additional risk signals such as a user's historical geolocations and device
profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we
delve into the global reach of the miscreants involved in credential theft and the
blackhat tools they rely on. We observe a remarkable lack of external pressure on
bad actors, with phishing kit playbooks and keylogger capabilities remaining
largely unchanged since the mid-2000s.