More Web Proxy on the site http://driver.im/

research-article

Open access

Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials

Authors:

Luca Invernizzi,

Oxana Comanescu,

Angelika Moscicki,

Daniel Margolis,

Elie BurszteinAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 1421 - 1434

https://doi.org/10.1145/3133956.3134067

Published: 30 October 2017 Publication History

Abstract

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016--March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords---which originate from thousands of online services---enable an attacker to obtain a victim's valid email credentials---and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7--25% of exposed passwords match a victim's Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user's historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.

Supplemental Material

MP4 File

Download
2508.96 MB

References

[1]

Lillian Ablon, Paul Heaton, Diana Catherine Lavery, and Sasha Romanosky. Consumer attitudes toward data breach notifications and loss of personal information. In Proceedings of the Workshop on Economics of Information Security (WEIS), 2016.

[2]

Joseph Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.

Digital Library

[3]

Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.

Digital Library

[4]

Tadek Pietraszek Borbala Benko, Elie Bursztein and Mark Risher. Cleaning up after password dumps. https://security.googleblog.com/2014/09/cleaning-up-after-password-dumps.html, 2014.

[5]

Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek, Andy Archer, Allan Aquino, Andreas Pitsillidis, and Stefan Savage. Handcrafted fraud and extortion: manual account hijacking in the wild. In Proceedings of the Internet Measurement Conference, 2014.

Digital Library

[6]

Blake Butler, Brad Wardman, and Nate Pratt. REAPER: an automated, scalable solution for mass credential harvesting and OSINT. In eCrime Researchers Summit, 2016.

[7]

Hsien-Cheng Chou, Hung-Chang Lee, Hwan-Jeu Yu, Fei-Pei Lai, Kuo-Hsuan Huang, and Chih-Wen Hsueh. Password cracking based on learned patterns from disclosed passwords. IJICIC, 2013.

[8]

Marco Cova, Christopher Kruegel, and Giovanni Vigna. There is no free phish: an analysis of "free" and live phishing kits. In Proceedings of the USENIX Workshop on Offensive Technologies, 2008.

Digital Library

[9]

Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. The tangled web of password reuse. In Symposium on Network and Distributed System Security (NDSS), 2014.

[10]

Matteo Dell'Amico, Pietro Michiardi, and Yves Roudier. Password strength: an empirical analysis. In Proceedings of IEEE INFOCOM, 2010.

[11]

Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich, and Stuart Schechter. It's not stealing if you need it: a panel on the ethics of performing research using public data of illicit origin. In International Conference on Financial Cryptography and Data Security, 2012.

Digital Library

[12]

Lorenzo Franceschi-Bicchierai. Hacker tries to sell 427 milllion stolen myspace passwords for $2,800. https://motherboard.vice.com/en_us/article/427-million-myspace-passwords-emails-data-breach, 2016.

[13]

David Mandell Freeman, Sakshi Jain, Markus Dürmuth, Battista Biggio, and Giorgio Giacinto. Who are you? a statistical approach to measuring user authenticity. In Symposium on Network and Distributed System Security (NDSS), 2016.

[14]

Hongyu Gao, Jun Hu, Christo Wilson, Zhichun Li, Yan Chen, and Ben Y Zhao. Detecting and characterizing social spam campaigns. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM, 2010.

Digital Library

[15]

Samuel Gibbs. Dropbox hack leads to leaking of 68m user passwords on the internet. https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach, 2016.

[16]

Vindu Goel and Nicole Perlroth. Yahoo says 1 billion user accounts were hacked. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html, 2016.

[17]

Andy Greenberg. Hackers hit macron with huge email leak ahead of french election. https://www.wired.com/2017/05/macron-email-hack-french-election/, 2017.

[18]

Robert Hackett. Linkedin lost 167 million account credentials in data breach. http://fortune.com/2016/05/18/linkedin-data-breach-email-password/, 2016.

[19]

Xiao Han, Nizar Kheir, and Davide Balzarotti. Phisheye: live monitoring of sandboxed phishing kits. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2016.

Digital Library

[20]

Thorsten Holz, Markus Engelberth, and Felix Freiling. Learning more about the underground economy: a case-study of keyloggers and dropzones. In European Symposium on Research in Computer Security (ESORICS), 2009.

[21]

Mat Honan. How apple and amazon security flaws led to my epic hacking. https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/, 2012.

[22]

Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, and Elie Bursztein. Cloak of visibility: detecting when machines browse a different web. In Proceedings of the IEEE Symposium on Security and Privacy, 2016.

[23]

Iulia Ion, Rob Reeder, and Sunny Consolvo. ... no one can hack my mind: comparing expert and non-expert security practices. In Symposium on Usable Privacy and Security (SOUPS), 2015.

[24]

Patrick Gage Kelley, Saranga Komanduri, Michelle L Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.

Digital Library

[25]

Brian Krebs. Adobe breach impacted at least 38 million users. https://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/, 2013.

[26]

Edmund Lee. Ap twitter account hacked in market-moving attack. https://www.bloomberg.com/news/articles/2013-04--23/dow-jones-drops-recovers-after-false-report-on-ap-twitter-page, 2013.

[27]

William R Marczak, John Scott-Railton, Morgan Marquis-Boire, and Vern Paxson. When governments hack opponents: a look at actors and technology. In Proceedings of the USENIX Security Symposium, 2014.

Digital Library

[28]

Bakuei Matsukawa, David Sancho, Lord Alfred Remorin, Robert McArdle, and Ryan Flores. Predator pain and limitless when cybercrime turns into cyberspying. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf, 2014.

[29]

William Melicher, Blase Ur, Sean M Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Fast, lean and accurate: modeling password guessability using neural networks. In Proceedings of the USENIX Security Symposium, 2016.

[30]

Tyler Moore and Richard Clayton. Discovering phishing dropboxes using email metadata. In eCrime Researchers Summit, 2012.

[31]

Jeremiah Onaolapo, Enrico Mariconti, and Gianluca Stringhini. What happens after you are pwnd: understanding the use of leaked account credentials in the wild. In Proceedings of the Internet Measurement Conference, 2016.

Digital Library

[32]

Nicole Perlroth and Michael D. Shear. Private security group says russia was behind John Podesta's email hack. https://www.nytimes.com/2016/10/21/us/private-security-group-says-russia-was-behind-john-podestas-email-hack.html, 2016.

[33]

Richard Shay, Iulia Ion, Robert W Reeder, and Sunny Consolvo. "My religious aunt asked why I was trying to sell her viagra": experiences with account hijacking. In Proceedings of ACM Conference on Human Factors in Computing Systems, 2014.

Digital Library

[34]

Elizabeth Stobert and Robert Biddle. The password life cycle: user behaviour in managing passwords. In Proc. SOUPS, 2014.

Digital Library

[35]

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the ACM Conference on Computer and Communications Security, 2009.

Digital Library

[36]

Kurt Thomas, Frank Li, Chris Grier, and Vern Paxson. Consequences of connectivity: characterizing account hijacking on Twitter. In Proceedings of the Conference on Computer and Communications Security, 2014.

Digital Library

[37]

Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. Understanding password choices: how frequently entered passwords are re-used across websites. In Symposium on Usable Privacy and Security (SOUPS), 2016.

[38]

Matt Weir, Sudhir Aggarwal, Breno De Medeiros, and Bill Glodek. Password cracking using probabilistic context-free grammars. In Proceedings of the IEEE Symposium on Security and Privacy, 2009.

Digital Library

[39]

Shams Zawoad, Amit Kumar Dutta, Alan Sprague, Ragib Hasan, Jason Britt, and Gary Warner. Phish-net: investigating phish clusters using drop email addresses. In eCrime Researchers Summit, 2013.

[40]

Kim Zetter. Group posts e-mail hacked from Palin account -- update. https://www.wired.com/2008/09/group-posts-e-m, 2008.endthebibliography

Cited By

Sabur AShowail A(2024)Nudging Data Privacy of Mobile Health Applications in Saudi ArabiaInternational Journal of Information Security and Privacy10.4018/IJISP.34564718:1(1-19)Online publication date: 7-Jun-2024
https://doi.org/10.4018/IJISP.345647
Okdem SOkdem S(2024)Artificial Intelligence in Cybersecurity: A Review and a Case StudyApplied Sciences10.3390/app14221048714:22(10487)Online publication date: 14-Nov-2024
https://doi.org/10.3390/app142210487
Rivera-Dourado MGestal MPazos AVázquez-Naya J(2024)A Novel Protocol Using Captive Portals for FIDO2 Network AuthenticationApplied Sciences10.3390/app1409361014:9(3610)Online publication date: 24-Apr-2024
https://doi.org/10.3390/app14093610
Show More Cited By

Index Terms

Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Beneath the Phishing Scripts: A Script-Level Analysis of Phishing Kits and Their Impact on Real-World Phishing Websites
ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

Phishing kits have become increasingly popular among cybercriminals because they offer an easy-to-use and efficient way for phishing attackers to build phishing websites. Prior work on phishing kits has focused on analyzing specific behavioral features (...
Preventing the revealing of online passwords to inappropriate websites with logininspector
lisa'12: Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques

Modern Web browsers do not provide sufficient protection to prevent users from submitting their online passwords to inappropriate websites. As a result, users may accidentally reveal their passwords for high-security websites to inappropriate low-...
A quantitative approach to estimate a website security risk using whitelist

Despite much research on defense against phishing attacks, incidents continue to occur where sensitive (e.g., personal or financial) information is stolen using social engineering and technical spoofing techniques. Most approaches use the notions of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 Owner/Author.

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

127
Total Citations
View Citations
12,063
Total Downloads

Downloads (Last 12 months)4,577
Downloads (Last 6 weeks)213

Reflects downloads up to 31 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sabur AShowail A(2024)Nudging Data Privacy of Mobile Health Applications in Saudi ArabiaInternational Journal of Information Security and Privacy10.4018/IJISP.34564718:1(1-19)Online publication date: 7-Jun-2024
https://doi.org/10.4018/IJISP.345647
Okdem SOkdem S(2024)Artificial Intelligence in Cybersecurity: A Review and a Case StudyApplied Sciences10.3390/app14221048714:22(10487)Online publication date: 14-Nov-2024
https://doi.org/10.3390/app142210487
Rivera-Dourado MGestal MPazos AVázquez-Naya J(2024)A Novel Protocol Using Captive Portals for FIDO2 Network AuthenticationApplied Sciences10.3390/app1409361014:9(3610)Online publication date: 24-Apr-2024
https://doi.org/10.3390/app14093610
NAKANO HCHIBA DKOIDE TFUKUSHI NYAGI THARIU TYOSHIOKA KMATSUMOTO T(2024)Understanding Characteristics of Phishing Reports from Experts and Non-Experts on TwitterIEICE Transactions on Information and Systems10.1587/transinf.2023EDP7221E107.D:7(807-824)Online publication date: 1-Jul-2024
https://doi.org/10.1587/transinf.2023EDP7221
Zou YLe KMayer PAcquisti AAviv ASchaub F(2024)Encouraging Users to Change Breached Passwords Using the Protection Motivation TheoryACM Transactions on Computer-Human Interaction10.1145/368943231:5(1-45)Online publication date: 30-Aug-2024
https://dl.acm.org/doi/10.1145/3689432
Celi SDavidson ALuo BLiao XXu JKirda ELie D(2024)Call Me By My Name: Simple, Practical Private Information Retrieval for Keyword QueriesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670271(4107-4121)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670271
Lee WHur JKim DQuek TGao DZhou JCardenas A(2024)Beneath the Phishing Scripts: A Script-Level Analysis of Phishing Kits and Their Impact on Real-World Phishing WebsitesProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3657013(856-872)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3657013
Zaeifi MKalantari FOest ASun ZAhn GShoshitaishvili YBao TWang RDoupé AVilela JSchulmann HLi N(2024)Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial EcosystemProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653266(55-65)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653266
Fu CLi QXu K(2024)Flow Interaction Graph Analysis: Unknown Encrypted Malicious Traffic DetectionIEEE/ACM Transactions on Networking10.1109/TNET.2024.337085132:4(2972-2987)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3370851
Herbert FBecker SBuckmann AKowalewski MHielscher JAcar YDürmuth MZou YSasse M(2024)Digital Security — A Question of Perspective A Large-Scale Telephone Survey with Four At-Risk User Groups2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00027(697-716)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00027
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents