Email hacking is prolific, and the results can be severe. Email account attacks often result in password theft, identity theft, account theft, and credit card fraud. Now, Google has published a study that reveals the most common methods hackers exploit to penetrate Gmail accounts. The tech giant hopes that the research results will help to educate consumers about how to protect their accounts.
The most common method hackers use, according to Google, is phishing. This technique is very common and can be carried out in many different ways. The most intricate phishing attacks are personalized and targeted (using social engineering).
Socially engineered phishing comes in the form of newsletters about agriculture for farmers, links to articles about cryptocurrencies for investors, or emails with links to professional resources relating to whichever particular career the target has.
On other occasions, a spoof Paypal email that confirms a purchase on Amazon or eBay will link to a fake login page for the service. These kinds of phishing emails rely on the victim's confusion and concern (because they don’t remember making the purchase), to trick them into entering their details. Sadly, as soon as the target enters their credentials into the fake login page, the cybercriminal gains full access to that account.
Various Methods
Google explains that hackers are using a whole host of methods to penetrate email accounts. Its security blog is called New research: Understanding the root cause of account takeover. The study shares useful information that could help prevent future attacks.
It reveals that 15% of users believe they suffered a social media or email account hack between March 2016 and March 2017. In addition, Google has disclosed that around 250,000 web logins are “phished” each week.
In total, the researchers identified 788,000 potential victims of key-logging and 12.4 million potential victims of phishing. Google also revealed that around 3.3 billion accounts were endangered by third-party breaches.
The Results
Working alongside researchers at Berkeley University in California, Google analyzed various deep web black markets. By searching for stolen credentials, the researchers were able to ascertain a number of important things.
The researchers concluded that many attacks were the result of a ‘hit and miss’ type method, involving passwords gathered from previous cyberattacks. This is important because it means that consumers could be saving themselves the headache of having multiple accounts penetrated.
Often, when hackers manage to get the login credentials for one account, they will sell those login credentials on the dark web. Other hackers buy those credentials en masse, then use them to try to break into other websites.
If consumers used different passwords for each account, or two-factor authentication, then this technique wouldn’t work. Sadly, more often than not, people use the same email address and password for their Facebook, Twitter, Instagram, Gmail, Slack, Skype, and any other accounts they have. This means that once hackers have breached one account, the rest are vulnerable.
Sophisticated Techniques
Although phishing and purchasing credentials online are two of the most common methods for gaining entry to email accounts, there are more complex methods. During the year-long study, researchers at Berkeley analyzed 25,000 hacking tools. The researchers found that attack vectors using key-loggers and trojans, which collect data about users, are becoming much more common.
According to the findings, software that ascertains people’s IP addresses is often delivered via phishing techniques. Then, in a secondary attack, the hacker delivers the key-logging malware or - worse - a trojan that communicates with a Command and Control (CnC) server.
These types of trojans give cybercriminals easy access to people’s machines, allowing them to search the entire system, and even to turn on microphones and webcams. With this kind of malware on a victim’s machine, it's only a matter of time before credentials are entered and passwords or credit card details are siphoned off.
Simple Solutions Go a Long Way
The first thing that consumers must start doing is to use unique passwords for all their accounts. A unique password stops the possibility of dark web vendors selling stolen credentials that can then be used to access multiple accounts. A secure password needs to be long and difficult (not a pet’s name!). This kind of secure password is too tough to actually remember. For this reason, it is going to be necessary to either have a little black book that you keep your passwords in (which isn't that secure, because you could lose it) or to use a password manager.
A password manager like KeePass will allow you to remember just one difficult password in order to access a whole database of strong passwords for all your accounts. This takes the pressure off and allows you to have super strong, unique passwords.
Antivirus Protection
As far as malware and trojans go, a good antivirus and firewall go a long way. What’s more, there are plenty of free antivirus and anti-malware programs on the market, so you have no excuse for not having one. Yes, you can pay up to $100 per year for an antivirus. However, the reality is that you don’t actually get better malware protection by paying more: you just get more tools (that you don’t really need).
When it comes to a firewall, Windows has had an excellent one built in since way back in Windows XP. The Windows firewall is excellent and using it in combination with an up-to-date antivirus like Malwarebytes is essential for security.
In addition, it's important to always take software updates when they become available. Flash updates, web browser updates, and other software updates - such as operating system security patches - all ensure that your system is protected against the latest threats. Zero-day vulnerabilities are discovered all the time, and they can lead to very severe threats.
Two-factor Authentication
According to recent studies, most Americans are not using dual-factor authentication. This is a real shame because it is the easiest way to protect accounts. If you haven’t already, please do set up two-factor authentication on your email account (and other accounts).
Virtual Private Networks
People should also strongly consider using a Virtual Private Network (VPN). A VPN is one of the most advanced forms of internet protection. They work by securely encrypting all the data coming and going from a connected device. This ensures that even if someone does ‘sniff’ your traffic (using the newly discovered KRACK vulnerability, for example), they can’t actually steal your credentials.
In addition, when you connect to a VPN, your real IP address is concealed and replaced with the IP address of a VPN server. By hiding your true IP address, VPNs make it harder for hackers to deliver trojans and other malware to your devices.
Finally, internet users should always be wary when opening links that look official in emails. Phishing emails are very convincing, but if you look at the actual address browser it's usually possible to tell if you're on the real site.
The best thing to do is not click on links in emails. Instead, navigate to the website in question manually by entering the address into your browser. If you're on the real site, the address should start with HTTPS and have a little green lock on the left that shows you the connection is secure. When in doubt, check the web address bar in your browser.
Google Tightening Security
The good news is that Google has used the information to add security to its service.
Last month, the firm launched a number of tools designed to help people protect their accounts. These include a personalized account security checkup, new phishing warnings, and an Advanced Protection Program for at-risk users.
In addition, Google has tightened up the location radius for accounts, meaning that people will be asked if an unusual login is really them more often. Google believes that it has already used the findings from its study to prevent hackers from penetrating a staggering 67 million Google accounts.