Kurt Thomas
Vern Paxson
ABSTRACT
In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016--March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords---which originate from thousands of online services---enable an attacker to obtain a victim's valid email credentials---and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7--25% of exposed passwords match a victim's Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user's historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.
Supplemental Material
- Lillian Ablon, Paul Heaton, Diana Catherine Lavery, and Sasha Romanosky. Consumer attitudes toward data breach notifications and loss of personal information. In Proceedings of the Workshop on Economics of Information Security (WEIS), 2016. Google Scholar
Cross Ref
- Joseph Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of the IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.Google ScholarDigital Library
- Tadek Pietraszek Borbala Benko, Elie Bursztein and Mark Risher. Cleaning up after password dumps. https://security.googleblog.com/2014/09/cleaning-up-after-password-dumps.html, 2014.Google Scholar
- Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek, Andy Archer, Allan Aquino, Andreas Pitsillidis, and Stefan Savage. Handcrafted fraud and extortion: manual account hijacking in the wild. In Proceedings of the Internet Measurement Conference, 2014. Google ScholarDigital Library
- Blake Butler, Brad Wardman, and Nate Pratt. REAPER: an automated, scalable solution for mass credential harvesting and OSINT. In eCrime Researchers Summit, 2016.Google Scholar
- Hsien-Cheng Chou, Hung-Chang Lee, Hwan-Jeu Yu, Fei-Pei Lai, Kuo-Hsuan Huang, and Chih-Wen Hsueh. Password cracking based on learned patterns from disclosed passwords. IJICIC, 2013.Google Scholar
- Marco Cova, Christopher Kruegel, and Giovanni Vigna. There is no free phish: an analysis of "free" and live phishing kits. In Proceedings of the USENIX Workshop on Offensive Technologies, 2008.Google ScholarDigital Library
- Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. The tangled web of password reuse. In Symposium on Network and Distributed System Security (NDSS), 2014. Google ScholarCross Ref
- Matteo Dell'Amico, Pietro Michiardi, and Yves Roudier. Password strength: an empirical analysis. In Proceedings of IEEE INFOCOM, 2010.Google Scholar
- Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich, and Stuart Schechter. It's not stealing if you need it: a panel on the ethics of performing research using public data of illicit origin. In International Conference on Financial Cryptography and Data Security, 2012. Google ScholarDigital Library
- Lorenzo Franceschi-Bicchierai. Hacker tries to sell 427 milllion stolen myspace passwords for $2,800. https://motherboard.vice.com/en_us/article/427-million-myspace-passwords-emails-data-breach, 2016.Google Scholar
- David Mandell Freeman, Sakshi Jain, Markus Dürmuth, Battista Biggio, and Giorgio Giacinto. Who are you? a statistical approach to measuring user authenticity. In Symposium on Network and Distributed System Security (NDSS), 2016. Google ScholarCross Ref
- Hongyu Gao, Jun Hu, Christo Wilson, Zhichun Li, Yan Chen, and Ben Y Zhao. Detecting and characterizing social spam campaigns. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM, 2010.Google ScholarDigital Library
- Samuel Gibbs. Dropbox hack leads to leaking of 68m user passwords on the internet. https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach, 2016.Google Scholar
- Vindu Goel and Nicole Perlroth. Yahoo says 1 billion user accounts were hacked. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html, 2016.Google Scholar
- Andy Greenberg. Hackers hit macron with huge email leak ahead of french election. https://www.wired.com/2017/05/macron-email-hack-french-election/, 2017.Google Scholar
- Robert Hackett. Linkedin lost 167 million account credentials in data breach. http://fortune.com/2016/05/18/linkedin-data-breach-email-password/, 2016.Google Scholar
- Xiao Han, Nizar Kheir, and Davide Balzarotti. Phisheye: live monitoring of sandboxed phishing kits. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2016. Google ScholarDigital Library
- Thorsten Holz, Markus Engelberth, and Felix Freiling. Learning more about the underground economy: a case-study of keyloggers and dropzones. In European Symposium on Research in Computer Security (ESORICS), 2009. Google ScholarCross Ref
- Mat Honan. How apple and amazon security flaws led to my epic hacking. https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/, 2012.Google Scholar
- Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, and Elie Bursztein. Cloak of visibility: detecting when machines browse a different web. In Proceedings of the IEEE Symposium on Security and Privacy, 2016. Google ScholarCross Ref
- Iulia Ion, Rob Reeder, and Sunny Consolvo. ... no one can hack my mind: comparing expert and non-expert security practices. In Symposium on Usable Privacy and Security (SOUPS), 2015.Google Scholar
- Patrick Gage Kelley, Saranga Komanduri, Michelle L Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.Google ScholarDigital Library
- Brian Krebs. Adobe breach impacted at least 38 million users. https://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/, 2013.Google Scholar
- Edmund Lee. Ap twitter account hacked in market-moving attack. https://www.bloomberg.com/news/articles/2013-04--23/dow-jones-drops-recovers-after-false-report-on-ap-twitter-page, 2013.Google Scholar
- William R Marczak, John Scott-Railton, Morgan Marquis-Boire, and Vern Paxson. When governments hack opponents: a look at actors and technology. In Proceedings of the USENIX Security Symposium, 2014.Google ScholarDigital Library
- Bakuei Matsukawa, David Sancho, Lord Alfred Remorin, Robert McArdle, and Ryan Flores. Predator pain and limitless when cybercrime turns into cyberspying. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf, 2014.Google Scholar
- William Melicher, Blase Ur, Sean M Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Fast, lean and accurate: modeling password guessability using neural networks. In Proceedings of the USENIX Security Symposium, 2016.Google Scholar
- Tyler Moore and Richard Clayton. Discovering phishing dropboxes using email metadata. In eCrime Researchers Summit, 2012.Google Scholar
- Jeremiah Onaolapo, Enrico Mariconti, and Gianluca Stringhini. What happens after you are pwnd: understanding the use of leaked account credentials in the wild. In Proceedings of the Internet Measurement Conference, 2016. Google ScholarDigital Library
- Nicole Perlroth and Michael D. Shear. Private security group says russia was behind John Podesta's email hack. https://www.nytimes.com/2016/10/21/us/private-security-group-says-russia-was-behind-john-podestas-email-hack.html, 2016.Google Scholar
- Richard Shay, Iulia Ion, Robert W Reeder, and Sunny Consolvo. "My religious aunt asked why I was trying to sell her viagra": experiences with account hijacking. In Proceedings of ACM Conference on Human Factors in Computing Systems, 2014.Google ScholarDigital Library
- Elizabeth Stobert and Robert Biddle. The password life cycle: user behaviour in managing passwords. In Proc. SOUPS, 2014.Google ScholarDigital Library
- Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the ACM Conference on Computer and Communications Security, 2009. Google ScholarDigital Library
- Kurt Thomas, Frank Li, Chris Grier, and Vern Paxson. Consequences of connectivity: characterizing account hijacking on Twitter. In Proceedings of the Conference on Computer and Communications Security, 2014. Google ScholarDigital Library
- Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. Understanding password choices: how frequently entered passwords are re-used across websites. In Symposium on Usable Privacy and Security (SOUPS), 2016.Google Scholar
- Matt Weir, Sudhir Aggarwal, Breno De Medeiros, and Bill Glodek. Password cracking using probabilistic context-free grammars. In Proceedings of the IEEE Symposium on Security and Privacy, 2009. Google ScholarDigital Library
- Shams Zawoad, Amit Kumar Dutta, Alan Sprague, Ragib Hasan, Jason Britt, and Gary Warner. Phish-net: investigating phish clusters using drop email addresses. In eCrime Researchers Summit, 2013.Google Scholar
- Kim Zetter. Group posts e-mail hacked from Palin account -- update. https://www.wired.com/2008/09/group-posts-e-m, 2008.endthebibliographyGoogle Scholar
Index Terms
- Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials
Recommendations
A quantitative approach to estimate a website security risk using whitelist
Despite much research on defense against phishing attacks, incidents continue to occur where sensitive (e.g., personal or financial) information is stolen using social engineering and technical spoofing techniques. Most approaches use the notions of ...
Analyzing web descriptions of cybersecurity breaches in the healthcare provider sector: A content analytics research method
AbstractThough the ever-increasing data breach incidents in healthcare providers are exposing their clients’ personal, financial, and medical data to cybercriminals, there is limited empirical research on the dynamics of data breaches. These dynamics ...
Visual security is feeble for anti-phishing
ASID'09: Proceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communicationAddressing recent online banking threats, the banking industry offers us several solutions for our safety online banking experience, however those solutions may not finally secure the users under the rising threats. The main challenges are how to enable ...
Comments