Google has delved into the darker parts of the internet as part of a year-long research project analysing how cybercriminals manage to hijack user accounts by obtaining passwords and login codes.
In collaboration with the University of California, Berkeley, Google’s research examined three common ways hackers manage to hijack accounts between March 2016 and March 2017. Of the three, two of them – phishing and keylogging – were used by cybercriminals to steal up to a staggering 250,000 account logins every week, Google found.
That’s around one million account credentials that are potentially stolen every month. Let that sink in.
The largest number of stolen logins that Google found for sale on black markets came from third-party data breaches. This totalled 3.3 billion which sounds like an incredible figure at a glance, but considering the scale of recent breaches from Yahoo, MySpace, Equifax, and LinkedIn, the number isn’t all that surprising.
In terms of risk to users, however, Google says that data breaches fall far behind phishing, where a hacker pretends to be a person or company and directly asks for user data, and keylogging, which is a more direct attack that records users when they’re typing.
This is particularly true for Google accounts, the search giant explains. While data breaches are usually restricted only to passwords – which isn’t enough to bypass Google’s security prevention systems – phishing and keylogging tools often hunt for more personal data.
“We found 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model,” reads the post on Google’s Security Blog.
With more information about the user in hand, phishing and keylogging techniques are far more successful. Google says that 12-25% of the attacks recorded during its research yielded a valid password, while third-party breaches settled at 12%.
Throughout the research, Google’s sources helped it identify 788,000 credentials stolen through keyloggers, and 12 million obtained through phishing.
Thankfully, the research has given Google some incredibly useful data that it has already put into action. It claims that 67 million vulnerable Google accounts have now been protected and that the knowledge the company has gained is being poured back into its own security systems.
If you’re worried about your own account’s security, Google recommends you run a Security Checkup immediately. Google accounts already have a fair amount of in-built security, but one of the easiest account protections you can add yourself quickly is two-factor authentication.