82 — Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials
Thomas et al (https://people.eecs.berkeley.edu/~frankli/papers/google_account_compromise.pdf)
Read on 11 November 2017Like most security research, this paper left me uncomfortable about the state of modern cyber-security.
These authors collected millions of passwords in leaked dumps, using freely available and online sources. They then analyzed the passwords to draw conclusions about how users re-use and design passwords. Somewhat distressingly, unless I’ve grossly misread this paper, they also compared these passwords to the users’ unleaked Google passwords to find that 7–25% of leaked passwords match the user’s Google password. (I appreciate that they only compared hashed values, but I’d still like to imagine that my credentials are stored in no-human-eyes-ever deep dark vaults protected by sphinx armed with large-prime-number-involving-riddles.)
The researchers then obtained thousands of keylogger and remote-access tools from “an undisclosed source” and used the signatures of the password-logging messages it sent out (presumably, to the miscreant’s email) to train the online Gmail abuse filters to identify password exfiltration. (One co-author was Elie Burzstein, lead of Anti-Abuse Research at Google.)
When these types of messages were flagged, Google found more than 12 million emails, sent to nearly twenty thousand different addresses, in the Gmail ecosystem alone.
These authors had extremely attractive charts in this paper.