Data Breaches, Phishing, or Malware?
According to a recent study, Google researchers identified 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums. Using this dataset, they explored to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust.
Google’s analysis showed that only less than 7 percent of the passwords exposed in third-party data breaches were valid due to password reuse. Furthermore, the company’s data suggests that credential leaks are less likely to result in account takeover due to a decrease in password reuse rates.
Phishing: The #1 threat to your users
On the other hand, nearly a quarter of the passwords stolen via phishing attacks were valid, and Google believes phishing victims are 460 times more likely to have their accounts hacked compared to a random user. As for keyloggers, nearly 12 percent of the compromised passwords were valid, and falling victim to such malware increases the chances of account takeovers 38 times.
“Our findings were clear: enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets,” Google employees wrote in a blog post. “While we have already applied these insights to our existing protections, our findings are yet another reminder that we must continuously evolve our defenses in order to stay ahead of these bad actors and keep users safe.”
Thus, in this process, Google came to a conclusion that many users were following a procedure of using a single login to access different web services. And this was giving way to phishing scams having the potential to do more damage than simplifying the life of web users.
Phishing Your Users is Fun!
By now you understand that bad guys are out to get us and they are succeeding by using phishing. By phishing your users, the bad guys are bypassing your firewall, endpoint protection, and other technology-based security measures by going after your users. So, what is there to do? Have you thought of phishing your own users to see who the culprits are?
Phish our own employees and then work out how to get them through effective Security Awareness Training. Here are a couple of ways to determine the phish-phone percentage of your end-users:
- Raise a temporary webserver, and create your own phishing site. Then create your own phishing email that should lure the users to your fake site, using what you know about Social Engineering. Work out how the tracking and reporting work, and code that. Make it all look acceptable. Takes a few days of work for someone who knows what they are doing. Next, send the email to all users using a mail server that allows you to spoof the From address. Then keep track, fend off users calling and emailing about this. Fend off your manager who is getting calls from other managers about this, despite the fact this was all announced well in advance. All this on top of my normal 60 hours per week workload? Forget that, never gonna happen.
- Check out the guys from KnowBe4 and Cybriant. We managed the phishing, analyzing, and training of your employees. Find out more: https://www.cybriant.com/cybersecurity-awareness-training/