How hijackers steal passwords

Google has teamed up with the University of California, Berkeley to understand how hijackers take over accounts in the wild.
They analysed several black markets between March 2016 and March 2017 to see how hijackers steal passwords and other sensitive data.
“Our research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging,” said Google.
“These sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.”
For third-party breaches, 12% of the exposed records included a Gmail address serving as a username and a password – of those passwords, 7% were valid due to reuse.
When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success – 12-25% of attacks yield a valid password.
As a password alone is rarely sufficient for gaining access to a Google account, however, increasingly sophisticated attackers try to collect sensitive data that Google may request when verifying a user’s identity.
“We found 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model,” said Google.
Google found that phishing posed the greatest threat to users, followed by keyloggers and third-party breaches.