Phishing attacks continue to grow in sophistication, as do defenses, but even the weakest account security measures--such as registering a recovery phone number--can prevent the vast majority of such attacks, according to a year-long study by Google and academic researchers.
Google, like many other major account providers, employs a broad and deep set of protections on user accounts, all of which are designed to prevent account-takeover attacks. Those attacks most often take the form of phishing, whether it’s through email, SMS, or another channel, and over time Google has added layer after layer of defense against those attacks. Some of those protections are relatively weak, such as the account holder remembering her alternate email address or answering a challenge question. Others are much stronger, including systems such as two-step verification or the use of a hardware security key, which present much more difficult barriers for attackers.
In cooperation with New York University and the University of California, San Diego, Google conducted a long study of more than 1.2 million accounts and found that just taking the simple step of adding a recovery phone number to an account can prevent 99 percent of mass phishing attacks and 100 percent of bot-based attacks. A phone number is used to determine whether the account holder has access to a trusted device, and can be used for further challenges that block automated attacks.
“If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks,” Kurt Thomas and Angelika Mosicki of Google said.
One of the issues with these kinds of systems, though, is that they can result in legitimate account holders failing to authenticate more often. People forget things, even their own email addresses and passwords, and sometimes may not have their phones close at hand, as hard as that may be to believe. In the event that a user forgets her credentials, those problems can lead to the user being locked out of the account. The Google and university researchers acknowledged this limitation.
“From a practical standpoint, we found that challenges, in conjunction with risk-aware authentication, blocked over 99.99% of automated hijacking attempts and 92% of attacks rooted in phishing at Google. These protections come at a cost of increased failed sign-in attempts from legitimate users, but with eventual success rates at levels similar to password-only authentication,” the researchers said in their paper on account takeovers.
“But unlike many cybercrime threats, users can take simple proactive steps to dramatically increase their security. Users who associate a device with their account can reduce their phishing risk by up to 99%. This approach provides similar levels of protection to two-factor authentication while removing the requirement of always having a device on-hand.”
"Since targeted attackers focus on specific email accounts, they can curate their attacks accordingly to be uniquely effective against those individuals."
The study looked at two separate types of attacks: mass phishing attacks and targeted attacks. Most people are at much higher risk for automated or mass phishing attacks and likely will never see a targeted attack. For the most part, targeted attacks that seek to take over an individual’s account go after a small subset of people, such as executives, diplomats, activists, journalists, and politicians. For those people, higher levels of protection are necessary for preventing account takeovers, and those defenses typically include the use of hardware security keys in combination with the other layered defenses. Defeating targeted attacks is a more difficult task, mainly because attackers who have a small target group can take their time and do reconnaissance on those targets and develop specific tactics for each one.
“Whereas attackers operating at scale expect to extract small amounts of value from each of a large number of accounts, targeted attackers expect to extract large amounts of value from a small number of accounts. This shift in economics in turn drives an entirely different set of operational dynamics. Since targeted attackers focus on specific email accounts, they can curate their attacks accordingly to be uniquely effective against those individuals,” the researchers said.
“Moreover, since such attackers are unconcerned with scale, they can afford to be far nimbler in adapting to and evading the defenses used by a particular target. Indeed, targeted email attacks— including via spear-phishing and malware—have been implicated in a wide variety of high-profile data breaches against government, industry, NGOs and universities alike.”
In their study on targeted attacks, the researchers looked at underground groups that offer hack-for-hire services to break into specific accounts. They interacted with 27 different services and asked them to target honeypot Gmail accounts that Google set up for the study. Each of the victim accounts had an individual website with some personal information, as well. The attackers used a variety of different techniques, but most of them centered on some form of social engineering.
“We confirm that such hack for hire services predominantly rely on social engineering via targeted phishing email messages, though one service attempted to deploy a remote access trojan. The attack- ers customized their phishing lures to incorporate details of our fabricated business entities and associates, which they acquired either by scraping our victim persona’s website or by requesting the details during negotiations with our buyer persona,” the researchers said in their research on hack-for-hire services.
“To bypass two-factor authentication, the most sophisticated attackers redirected our victim personas to a spoofed Google login page that harvested both passwords as well as SMS codes, checking the validity of both in real time. However, we found that two-factor authentication still proved an obstacle: attackers doubled their price upon learning an account had 2FA enabled.”