If you’ve recently upgraded your Chrome browser, you might notice a popup that displays after you log into a website. The popup indicates that your password could be exposed on the internet and that you should change it. This notification is Google’s attempt to help people avoid account takeover from successful phishing attacks. Before you think that Google has hacked your password, here is why it happens and what you can do to protect your private data.
What Happens After a Successful Phishing Attack?
An attacker has several vectors and methods to phish a targeted user’s data. Credentials are just one data point an attacker will target. Credit card numbers, personal data, social security numbers and even contact information are useful to an attacker who wants to sell your information online. Hacked websites, email messages, open URL redirection, and malicious websites are just a few ways an attacker can trick users into disclosing personal data.
Most attackers don’t have specific people that they target. Phishing to sell data online is a number’s game. The attacker will attempt to gather as much personal data as possible by sending thousands of email messages. Eventually, the attack is stopped by some anti-phishing tools, but it isn’t until after the attacker has tricked thousands of users and stole their credentials and personal data.
After the attacker has a list of data points, the data is added to a list. Some attackers will improve the data quality by checking its accuracy. Account takeover tools can be used to automate requests against user accounts and credit card data. For instance, SentryMBA is an account takeover tool that will test credit card data. Tested, viable credit card data is much more valuable on darknet markets compared to random data that has not been verified.
With a list of user credentials and other personal data, an attacker can sell the list on darknet markets. Most attackers do not use the data that they’ve collected because it’s much more valuable to sell it to others who will use it. Cybersecurity experts will browse darknet markets to find these lists and identify if they are newly stolen user credentials or lists that are made up of previous lists. Occasionally, an attacker will take multiple lists, combine them, and then resell the larger list for profit.
Chrome’s Notification is Based on These Credential Lists
Years ago, cybersecurity experts realized that buying these lists would be helpful to consumers. Now, large companies with millions of users stored on a system will do the same. Google’s new notification is based on darknet market lists analyzed and incorporated into Chrome. When you type a password into a website, Chrome compares it to stored password values and identifies if they match a list. If a search returns true, then you see the Chrome notification letting you know that your password has been exposed and that you should change it.
A common mistake most consumers make is thinking that they are not a target and ignoring messages on certain websites. Attackers that scan credentials using account takeover tools will test on sites that don’t have the right cybersecurity monitoring so that the user is not aware that their credentials are being tested. Small business owners with ecommerce stores are best for testing credentials and financial data to ensure that it’s accurate.
Small business owners don’t have the resources to check for user credential disclosure, but large companies like Google have cybersecurity experts on staff. These experts purchase lists to help alert users that their data has been exposed before it can turn into a financial disaster for the user. Attackers will test credit cards and if a small charge goes through, the attacker will charge thousands on a card either from local store charges or on ecommerce sites.
What You Can Do to Protect Your Data
Even people in IT can make mistakes and fall for a phishing attack. The best defense is to be aware of phishing attacks and protect yourself. You can’t protect from a poorly coded web application that discloses data, but you can take steps to educate yourself on the ways phishing attacks are used in email.
Some web-based email hosts such as Gmail use cybersecurity measures that block email spoofing. Email spoofing happens when an attacker is able to send an email with an official-looking “from” address to trick users into thinking the email is from an official source. If your web host does not use email cybersecurity, then spoofed emails might go through to your inbox.
Attackers will often register domain names similar to an official one. For instance, an attacker might register “paypall.com” and send messages from this domain. In the email, an attacker will display a link to an attacker-controlled server. The landing page will look similarly to the official PayPal site in this scenario hoping to trick users into entering their PayPal credentials. Since users often apply the same username and password across many sites, an attacker with access to PayPal credentials will try the same ones on other banking sites.
Two-factor authentication (2FA) is another option that protects from successful phishing attacks. If an attacker is able to trick you into submitting credentials to a malicious site, they would still be unable to authenticate into your account due to 2FA restrictions. 2FA systems usually sends a PIN to your smartphone to verify that it’s you authenticating into the website. There are other methods of 2FA such as sending a verification email, but most organizations implement an SMS PIN verification code that must be entered before the user can access a secure section of the site. If an attacker gains access to your email, then verification using email is rendered useless.
Conclusion
If you use Chrome and see the notification that your credentials have been exposed after logging into a website, it’s time to change the password on that site. If you have the same password on other sites, you should also take time to change passwords on any site that also uses the same password.
Although 2FA is often an optional security measure, always use it on websites that contain sensitive data such as credit card numbers or banking information. By adding 2FA to your authentication, you protect yourself in case you accidentally fall for a phishing attack. To avoid becoming a victim, always ensure that the person sending the email is the actual sender and not a spoofed address. This is especially important when you receive an email with an attachment or link to a suspicious site.
