The best phishing-driven fake websites worked “a whopping 45 percent of the time”, says the study. On average, one in seven people visiting fake pages handed over their information – “much higher than we anticipated” say the researchers. And even the most obviously bogus sites con three percent of people.
The Google study says criminals are also “astonishingly” quick to exploit compromised accounts, with 20 percent accessed within 30 minutes of credentials being handed over, and 50 percent within seven hours.
The study, conducted by a joint Google and University of California San Diego team, coincides with the discovery of a heavy-duty phishing campaign based on fake Amazon emails.
Security firm AppRiver detected just under 700,000 Amazon ‘order dispatched' phishing messages sent between 31 October and 7 November, which dropped a Word document with a malicious macro on anyone who responded, and just over 200,000 samples of a similar fake Amazon email that sent victims to a compromised WordPress site.
Troy Gill, manager of security research at AppRiver, told SCMagazineUK.com the overall campaign “would actually be much larger - conservatively, at least in the tens of millions and the millions respectively” and that the victims were evenly split between the UK and US.
The Google study says the knock-on effect of such phishing campaigns is severe. Hijackers typically send emails purporting to come from the victim to their entire contact list, who are then 36 times more likely than average to respond and be hijacked themselves.
The study says the criminals involved come from five main countries: China, Ivory Coast, Malaysia, Nigeria and South Africa. And their attacks mainly target victims' email (35 per cent) and banking credentials (21 per cent), as well as their app stores and social networking details.
The study confirms: “Phishing is a key vector of attack used by manual hijackers and email is the primary vector by which victims are phished or lured to phishing pages.”
Its findings present major problems for companies: “In order to prevent a hijacked account's exploitation, the reaction time to the credential compromise needs to be even faster than previously thought,” the study says.
“Hijackers' extreme reactivity emphasises the need to perform an accurate, real-time login risk analysis at the time of login in order to detect hijacking attempts.”
The report adds: “A surprising finding is that hijackers spend three minutes on average assessing the value of the account and will not attempt to exploit accounts that they deem not valuable enough.
“This systematic assessment phase and the fact that certain accounts are not exploited suggest that manual hijackers are ‘professional' and follow a well-established playbook designed to maximise profits.”
The study details defence strategies for companies and individuals to try to prevent and recover from phishing-based hijacking.
Commenting on the findings, Kevin Epstein, VP of Information, security and governance at Proofpoint, told SCMagazineUK.com that they match his company's research which shows: “Even in the best-trained organisations, someone always clicks - and it only takes one.”
Epstein said:“As headline-making breaches continue to demonstrate, email and socia-media attacks are routinely successfully penetrating legacy systems, clearly highlighting the need for multiple layers of post-perimeter security.
“Organisations must have a way to track and neutralise emailed and posted URLs even after delivery. Google's report also emphasises the need for rapid threat response, often overlooked in the focus on prevention."
Mark James, a security specialist at ESET, told SCMagazineUK.com via email: “Phishing works these days often because of the trust factor involved. We get emails on a daily basis from banks we have never heard from and opportunities we see instantly are too good to be true. The problem arises when our trust level is increased by a familiar subject, person or event.
“It's a good start when the email is from a bank we actually use but it really strikes a point when we have had or have current ‘real-life' issues with that bank or credit card - when that coincides with the phishing email, that's when we follow that link and are presented with a very good attempt at stealing our details.”
James added: “My advice would be to always validate any email if it involves money in any way, shape or form. Trusting family and friends is great when they are in front of you but always think twice before dealing with emails even if you do ‘think' you know them personally.”
Rohyt Belani, CEO of PhishMe, said that the Google figures “are not at all surprising”. He told SCMagazineUK.com via email: “Users tend to interact quickly with emails after receiving them, and attackers are then able to get into an organisation's network in what might seem like a short amount of time. Cyber-attackers know they have a short window of opportunity before security technologies are able to detect anomalies in the network.”
But Belani said there is a “positive side” to how people react to phishing attacks: “When a user is trained to quickly recognise phishing attacks, savvy users can report the attack and shorten the attack detection window.
“We have seen a high percentage of trained employees report phishing attacks within seconds to responders, allowing them to move detection up the kill chain and limit the damage caused.”
The Google study looked at incidents that occurred at Google between 2011 and 2014, using data from 200 phishing emails, 200 sets of fake credentials, 200 IPs used to access stolen accounts and 5,000 hijacked accounts.