Theft of credentials, especially information providing access to online accounts, is reaching epidemic proportions. Case in point, the following data was compiled between March 2016-March 2017 by researchers from Google, the University of California, Berkeley, and the International Computer Science Institute:

  • 788,000 individuals fell victim to off-the-shelf keyloggers
  • 12.4 million individuals were successfully fooled by phishing kits
  • 1.9 billion individuals became victims because of data breaches

The group gathered the above data hoping to determine the ease at which cybercriminals abscond with victims’ access credentials, and ultimately their online identity. “We delve in the global reach of the miscreants involved in credential theft,” explain the researchers in their paper Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials (PDF). “We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.”

SEE: Lunch and learn: Dealing with the risks of identity theft (Tech Pro Research)

What is credential theft, and why is it a big deal?

Credential theft is any means by which a victim’s (person or business) proof of identity (physical or digital) is stolen with the intent to either pilfer from the victim or hide behind the victim’s identity when committing a crime. As to why it’s a bigger deal than most think, here’s an excerpt from the Palo Alto white paper Understanding the Role of Stolen Credentials in Data Breaches:

“The theft and use of stolen passwords is one of the oldest attacks in the book, yet it remains highly effective. With stolen credentials, an adversary can bypass the entire attack lifecycle by impersonating a valid user, move uninterrupted throughout the organization’s network, and shift to the abuse of credentials from within.”

Put simply, the cybercriminal has the same access as the victim. What’s more, this likely gives attackers access to many other online applications and platforms because we humans tend to use the same credentials–especially usernames and passwords–over and over.

SEE: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic special report)

The authors of the paper write: “Through a combination of password re-use across thousands of online services and targeted collection, we estimate 7-25 percent of stolen passwords in our dataset would enable an attacker to log in to a victim’s account and take over their online identity due to transitive trust.”

If, for example, a victim’s credentials are stolen, an attacker could:

  • reset the password, locking the victim out of the account;
  • download some or all of the victim’s private data; and
  • remotely wipe the victim’s data and backups.

The researchers focused on email credentials

To make things manageable, the study concentrated on email-credential theft. The team members measured the volume of credential-stealing attacks, determined how successful the attackers were in obtaining valid email credentials, and whether it led to the hijacking of victims’ accounts.

Figure A is indicative of the collection frameworks used by the researchers. This particular framework identifies credential leaks on public websites and forums where a majority of stolen credentials eventually show up. “We detect when this happens by regularly crawling a set of paste sites and blackhat forums, as well as the public internet at-large in order to identify content that may contain emails and passwords,” writes the researchers in their paper. The researchers also checked private, member-only forums for leaked credentials.

Key findings of the credential theft study

The team’s frameworks uncovered something unexpected: The risk of a complete email-account takeover depends on how the victim’s credentials are first acquired. “We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user,” state the researchers. “In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. This discrepancy results from phishing kits actively stealing risk profile information to impersonate a victim, with 83% of phishing kits collecting geolocations, 18% phone numbers, and 16% User-Agent data.”

Fortunately, the researchers write that to their knowledge none of the exposed email credentials were obtained from data breaches occurring at email providers.

SEE: What is phishing? Everything you need to know to protect yourself from scam emails and more (ZDNet)

The best ways to mitigate credential theft

The paper’s authors suggest the scale of black-market activity surrounding stolen credentials highlights the futility of authentication based on single-factor authentication (i.e., usernames and passwords). They recommend, “Immediate solutions to the shortcomings of risk profiles include migrating users to unphishable two-factor authentication (2FA) or password managers that associate credentials with specific domains.”