Are you and your company protected from data breaches, phishing, or malware? Understanding the risks of stolen credentials

Are you and your company protected from data breaches, phishing, or malware? Understanding the risks of stolen credentials

October 29, 2017

Did you know that Americans are almost four times more worried about getting their computers and smart phones hacked than being murdered? There’s a good reason for that. There are nearly 2 billion stolen passwords and usernames available on the black market, and up to 25% of them will still work on a Google account according to a new study from Google, the University of California, Berkeley and the International Computer Science Institute.

The recently published white paper, using Google’s own, carefully controlled internal “proprietary data” as a case-study to see whether the hacked passwords and other accounts traded on hacker forums and the dark web actually work on real accounts, claims there are hundreds of millions of usernames and passwords that are traded on black markets that can be used to access Google accounts.

According to the report, “Through a combination of password re-use across thousands of online services and targeted collection, we estimated 7–25% of stolen passwords in our dataset would enable an attacker to log in to a victim’s Google account and thus take over their online identity due to transitive trust.”

There are more than 1.9 billion usernames and passwords on “black market” forums, write the researchers.

In plain English this means a lot of people used the same password for multiple online accounts such as their MySpace and Google accounts, so when MySpace’s database was breached, hackers could simply try all the breached passwords on Google, hoping that some would work and they did.

MySpace wasn’t the only big site that had seen its database of usernames and associated password data breached.

This problem with password reuse has resulted in some of the most high-profile “hacks” in recent years. For example, Facebook CEO Mark Zuckerberg used the same password — “dadada” — for his Twitter and Pinterest accounts, which were briefly taken over in 2016 by hackers calling themselves the OurMine team.

OurMine, reportedly using stolen passwords, also targeted Google CEO Sundar Pichai, actor Channing Tatum and Amazon CTO Werner Vogels.  

Low-tech cyberweapons

The researchers also looked at the specific pieces of malware used for phishing and for secretly recording what a user types.

Phishing tools are used to include links in fake emails that display websites that look the same as Yahoo, or Hotmail, so unsuspecting users simply type their passwords into the sketchy site. There are 12.4 million potential victims of these kits, write the researchers.

There are also thousands of different “keyloggers,” which run on a victim’s computer and sends information back to a hacker, according to the report. These keyloggers have names like “HawkEye” and “Cyborg Logger.”

It turns out, though there are lots of developers selling and distributing this kind of malware and unfortunately there really haven’t been any updates in years as to how the core technology works.

“Compared to the capabilities of keyloggers and phishing kits dating back to the mid-2000s, we observe a marked lack of pressure on blackhat developers to evolve their core technologies,” the researchers write. “Phishing kits reported nearly a decade ago still rely on the same PHP skeleton and approach for reporting stolen credentials,” it continued.

What you can do

The researchers say there are a few easy steps users (as well as the database owners) can take to protect themselves.

The researchers recommend two-factor authentication, which means that when logging in, a user would need a special security key or to type in a code sent through a text message to gain full access to an account.

The researchers also recommend using a password manager, which creates a new random password for each site — so if one site is breached, then hackers don’t have access to your other accounts, especially your email.

Another easy thing to do is to not use an insecure password, especially if you’re one of the Americans who are four times more worried about getting hacked than murdered. Two of the most commonly used passwords – “123456” and “abc123” – are still being used and if you are using either one, change them immediately!  

Forced password changes using a combination of uppercase and lowercase letters, numbers and symbols such as the exclamation mark, pound sign and caret (^) are a great start. Firewalls, monitoring systems and regular scans for viruses and malware are also necessary. If you would like to know more about these protection processes, please call our Las Vegas office at 702-931-2022 as we at Louis Mamo & Company can assist you in securing your systems, equipment, information and identification.

To read the entire report from Google, the University of California, Berkeley and the International Computer Science Institute, click here.