Site   Web

February 20, 2013

Google Successfully Taking on Account Hijackers

Spammers Switch Focus to Hacking of Personal E-mail Accounts

Google is declaring war on cyber-criminals intent on hacking Gmail accounts to spam and scam victims’ contacts.

Google says there has been a rise in hackers targeting individual e-mail accounts since 2010 to circumvent advanced spam protection. With the lion’s share of phony or malicious e-mails being delivered to Gmail users’ junk folders, spammers and hackers have had to change their focus.

“Compared to five years ago, more scams, illegal, fraudulent or spammy messages today come from someone you know,” Google Security Engineer Mike Hearn said in a blog post.

“Although spam filters have become very powerful — in Gmail, less than one percent of spam e-mails make it into an inbox — these unwanted messages are much more likely to make it through if they come from someone you’ve been in contact with before.”

Hearn says Google saw a “large increase in fraudulent mail” in the past few years, which has spurred the firm’s security team to develop new ways to keep users safe, and “dramatically” reduce the number of such messages.

Spammers’ Methods

Many spammers are “turning into account thieves,” Hearn says.

Cyber-criminals break into websites with the goal of stealing databases of usernames and passwords. They then do one of two things: they either put the databases up for sale on the black market or use them for their own illicit aims. What makes it especially easy for spammers to compromise personal e-mails is re-use of the same password across multiple accounts.

“We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time,” Hearn says. “A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google account, our security system does more than just check that a password is correct.”


Image source: Official Google Blog

Google Security Methods

Each time a user signs in to Google, the system performs a “complex risk analysis” to ascertain the sign-in is from a legitimate user. Google can use more than 120 different techniques to make a determination.

“If a sign-in is deemed suspicious or risky for some reason — maybe it’s coming from a country oceans away from your last sign-in — we ask some simple questions about your account,” Hearn says. “For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner.”

Use of such security measures have reduced the number of hacked Gmail accounts by 99.7 percent since 2011 — the height of such hijacking efforts.

Image source: Official Google Blog

Image source: Official Google Blog

Gmail Users Can Help

Gmail account holders also play an important role in ensuring their accounts remain secure, Hearn says.

Using an unpredictable, unique password, upgrading to two-step verification and updating account recovery options, such as inputing a secondary e-mail address and a phone number, strengthen account security.

To choose a strong password, Google recommends using a unique password for each important account, such as e-mail and online banking, and choosing a long password made up of numbers, letters and symbols.

With two-step verification, users must enter their password and a verification code. The code will be sent to the user’s phone via text, voice call, or mobile app.

During sign-in, the user can request Google no longer ask for a code on that particular computer. From that point on, only the user’s password will be required.

However, if the user or someone else tries to sign in from a different computer, a verification code will be required to gain access to the account.