GlobalSign Blog

UC Berkeley Study Fishes for Answers on Phishing Toolkits

UC Berkeley Study Fishes for Answers on Phishing Toolkits

According to a September cybersecurity crime study from Accenture, companies spent an average of nearly $1.3 million recovering from phishing and social engineering attacks.

Given the nature of these attacks and widespread concerns about the havoc they wreak, researchers are always examining them and trying to understand the attackers, their methods and of course, the severity of their impact.

Students at the University of California, Berkeley are one such group to investigate phishing and recently published a measurement study on it, and the underground ecosystem fueling credential theft.

For their study, the Berkeley team focused on the time period of March 2016 – March 2017. Among other things, their study identified 12.4 million victims of phishing kits and 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums. The researchers noted that their samples “demonstrate the massive scale of credential theft occurring in the wild.”

To conduct the study, the researchers developed an automated framework that monitored black market bad actors and stolen credentials. The researchers explored to what degree the stolen passwords enable attackers to obtain victim’s valid email credentials and subsequently control of their online identity. They did so by acquiring a sample of 10,037 phishing kits, 3,785 credential leaks and 15,579 keyloggers. 

A main component of the study was examining phishing kits, which are easily deployed packages capable of creating and configuring phishing content while also providing built-in support for reporting stolen credentials. The number of phishing sites relying on kits is unclear, but according to a paper presented at the IEEE eCrime Researchers Summit in 2013, previous studies indicate that 10% of phishing sites active that year left very little evidence of an actual kit.

Phishing Is the Most "Successful" Type of Attack

The study also discovered that the risk of complete email takeover depended significantly on how attackers first acquire a victim’s re-used credentials. Using Gmail as an example, the study found that only 7% of victims in third party data breaches had their current, valid Google password exposed compared to 25% of phishing victims. The number of Google users impacted by the phishing activities totalled more than 2.3 million meaning over 578,000 valid passwords were obtained by attackers using these kits.  In addition, bad actors also have varying success at emulating historical login behavior and device profile of targeted accounts.

The study also found victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. This rate actually falls to 10x for data breach victims and roughly 40x for keylogger victims, a discrepancy resulting from phishing kits actively stealing risk profile information to impersonate victims, with 83% of phishing kits collecting geolocations, 17% phone numbers and 16% user-agent data.

The study results also suggested that even a year later, victims remained unaware their passwords were exposed and at risk.

Also uncovered was the discovery of 4,069 distinct phishing kits (and 52 keyloggers) that were responsible for the active attacks in the year-long study. The most used phishing kit, a site that emulates Gmail, Yahoo and Hotmail logins – was used by 2,599 blackhat actors to steal nearly 1.5 million credentials.

Other Study Findings

One of the scenarios the study examined was weekly activity for the top five phishing kits, where they discovered “bursty, campaign-like behavior,” which suggested to them only a limited number of actors have a significant impact. More specifically, the second most popular phishing kit, which emulated Workspace Webmail, affected only 2,500 potential victims weekly during breaks, however the numbers jumped to as many as 69,000 victims during more active periods of coordinated activity.

Interestingly, it appears that phishing attackers are still relying on the same technology they used a decade ago, yet still have the ability to inflict damage.

Silver Lining

The problem of stolen credentials is daunting, however if there’s any good news from the study, when the research team examined the likelihood of a repeat of the incident with the same group of victims, the number was surprisingly low, with just two percent of users falling victim again to the hackers. The team surmised that password resetting may be a sufficient enough to address account compromise. Though for people victimized more than once, it’s possible that malware infections harvest newly changed passwords, or they were deceived by another phishing attack after their initial recovery.

The researchers conclude that their findings demonstrate the global reach of credential theft and the ongoing need to educate users about password managers and “unphishable” two-factor authentication as potential solution. We agree wholeheartedly with this advice – use strong, unique passwords across your accounts and implement multi-factor authentication whenever you can.

We also can’t stress enough how important it is to stay vigilant in regards to phishing. This stance is further reinforced by the results of the study – credentials stolen through phishing attacks are by far the most likely to be valid and allow hackers to take over your account. Take a second before you click on any links or enter any information into a website. Who sent the email? Is the website legitimate? We’ve compiled some tips for spotting phishing emails and websites to help.

Share this Post

Recent Blogs