February 19, 2013

An update on our war against account hijackers



Have you ever gotten a plea to wire money to a friend stranded at an international airport? An oddly written message from someone you haven’t heard from in ages? Compared to five years ago, more scams, illegal, fraudulent or spammy messages today come from someone you know. Although spam filters have become very powerful—in Gmail, less than 1 percent of spam emails make it into an inbox—these unwanted messages are much more likely to make it through if they come from someone you’ve been in contact with before. As a result, in 2010 spammers started changing their tactics—and we saw a large increase in fraudulent mail sent from Google Accounts. In turn, our security team has developed new ways to keep you safe, and dramatically reduced the amount of these messages.

Spammers’ new trick—hijacking accounts 
To improve their chances of beating a spam filter by sending you spam from your contact’s account, the spammer first has to break into that account. This means many spammers are turning into account thieves. Every day, cyber criminals break into websites to steal databases of usernames and passwords—the online “keys” to accounts. They put the databases up for sale on the black market, or use them for their own nefarious purposes. Because many people re-use the same password across different accounts, stolen passwords from one site are often valid on others.

With stolen passwords in hand, attackers attempt to break into accounts across the web and across many different services. We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct.

Legitimate accounts blocked for sending spam: Our security systems have dramatically reduced the number of Google Accounts used to send spam over the past few years

How Google Security helps protect your account
Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made.

If a sign-in is deemed suspicious or risky for some reason—maybe it’s coming from a country oceans away from your last sign-in—we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.


Help protect your account
While we do our best to keep spammers at bay, you can help protect your account by making sure you’re using a strong, unique password for your Google Account, upgrading your account to use 2-step verification, and updating the recovery options on your account such as your secondary email address and your phone number. Following these three steps can help prevent your account from being hijacked—this means less spam for your friends and contacts, and improved security and privacy for you.

(Cross-posted from the Official Google Blog)

16 comments:

  1. I'm a fan of the two-factor authentication Google uses. In encouraging others to use it, I'd love to be able to share statistics indicating its effectiveness. Can you share any numbers regarding the reduction in account compromises among people who use two-factor authentication.

    I realize such a number would have selection bias, but it's better than nothing.

    ReplyDelete
  2. This just happened to one of our users today. I think this group of people should be called Spackers, for Spam and Hackers. They hack, then send spam.

    ReplyDelete
  3. I just got an email from noreply@googlesecurityteam.net that said:
    ================
    Dear Member,

    We noticed our security IP-Address detector as been disabled on your account,to avoid account been hacked or interrupted,You need to re-log in on the link below to update your IP-Address Security.

    Secure is one of our most important responsibilities..

    Click UPDATE NOW for verification.

    Gmail Services Team

    © 2013 Gmail LLC. All Rights Reserved.
    =========================
    Clicking on the link took me to a Google looking sign on page with the url: http://lakshyyaent.com/sites/g/page.gmail.com/gmail/Gmail/ServiceLogin.htm

    Is this you or another hacking job?

    ReplyDelete
    Replies
    1. Seriously? Just check how bad written those messages are. They're not even proper English. And that URL has nothing to do with Google. Plus Google never sends emails saying click here to login they always display content on-site.

      Delete
  4. 2 STeps authentication,strong password,recovery option..Google still the best email

    ReplyDelete
  5. Well, this has happened to me a number of times now. My account was not only hijacked, but my websites cloned as well.

    It has been suggested that some drug addicts hijacked my blog in order to use the Google adsense.

    The templates on Blogger may have some flaws as well. On my account, my editing pencil. wrench and other editing tools do not show up, making it difficult to post and edit in my blogs.

    Now, people keep getting me mixed up with the drug addicts who hijacked my blogs.

    At the present time, it appears that I may be posting on the spoofed or cloned account and someone else has my account or is sharing it.

    Google accounts appear to be hijacked often.

    Antonia.

    ReplyDelete
  6. Thank you Google,I'll do my best to protect my Google account and I think Google will remain the best

    ReplyDelete
  7. I use google talk from the MacOS "Messages" application, and I frequently work from a commuter shuttle or remote site (frequently == daily). So basically every time I start Messages, Google flips out about suspicious activity and makes me go throug hthe rigamarole you describe before I can use my account. Is there any way to opt out of this for those of us who simply cannot guarantee an IP address, or do we have to avoid using Google Talk while on the road?

    ReplyDelete
  8. I use Google Talk via MacOS Messages, and I do this from a laptop that is, on a near daily basis, logged in from strange IP addresses. This results in me having to re-authenticate continuously. I'm wondering if there is some way to opt out of this due to the high volume of address-switching I do, or if Google would advise me to avoid using Google Talk from my laptop?

    ReplyDelete
  9. Thanks! I'm glad you're upping your security. I live up in Calgary, and its nice to know that my online stuff is protected.

    ReplyDelete
  10. Thanks for sharing some useful info related to Google update which will help us to identify the needed security for my site we are all expecting that.

    ReplyDelete
  11. A prolonged cyber attack targeted me by known woman cracker and IT corporate professional in the UK. After wiping jail broken IPhone (remote) and Mac BookPro, 2 weeks later she cracked
    I
    IPhone, ICloud, Apple ID- even after increased anti malware and security. A private investigator was hired after I cleared my name w/ Google following web browser hack to surf terrorist sites. Forensics report today. Perhaps enough evidence will have been obtained to prosecute and ID.

    ReplyDelete
  12. I am so upset...I have been locked out of my own account because of two step verification. I disabled it several times before on the same device, however, it always seems to ask for the codes which would be sent via text. The problems I have now are: my phone number has changed because of a recent move (didn't remember to update my Google info when I moved); my tablet device needed to have default settings reset for another issue with my bank and wiped out cache, passwords, etc.; and I have had my account for a long enough time that I could not recall when I opened it or remember who I email frequently because I mainly use it as a source for incoming newsletters, tradeshows, company updates,etc.; why can't there be a more relevant way to properly confirm that I am the true account holder? I have a vast array of personal things stored including drive docs, calendar, and other things I use each day not to mention contacts! There has to be more sensitivity for myself and others in a similar situation. It's very insulting to chase around the world of internet for answers, help, suggestions...and your company staff has been very rude to say I am screwed, no one can help, and that I need to open a new account! Does anyone suggest a good hacker??? What shall I do?

    ReplyDelete
  13. A Gmail account is set up with all known precautions in place via settings, Drive, Calendar, and external apps closed to prevent backdoor entry. Also the 2-Step verification is setup with backup email addresses and phone numbers.

    Everything goes well for a very short time, then the 2-Step Verification codes are stolen and login phishing pages block activity.

    The main issue is to find out how the attackers are attaching login phishing pages to Gmail login, Account Activities, Dashboard, and Security

    The second concern is that if you are cautious not to use the phishing pages, then how do they login or piggy back when you log in. It feels like something is in place and it waits for login. Then after login things get changed. Notifications are turned off and Account Activity is blocked.

    While attackers are in, they copy all the 2-Step Verification codes. This renders them useless. When I get locked out because of attacks, I just get routed to information pages and nothing else.

    Sometimes I get the opportunity to use my backup email address. But when I do, the backup gets infected.

    In the meantime, notifications are turned off and recent activity is blocked permanently. I am not savvy enough to know how to turn them back on.

    The phishing pages to login with a password are useless. They don't lead to anything. They just take the password from you.

    I don't know what to do outside of creating multiple gmail accounts and letting the hackers have some of the stolen ones. Other infected accounts were either abandoned or closed when they got recovered. I can't get my name back. Someone stole it a long time ago and I tried to get it back but I lost the inquiry.

    Also, all new accounts allow me to see all pages within the first few minutes to half an hour. After that, the phishing login pages start and shuts down views to login, account activities, and other vital pages.

    When I create a new account, the instant my phone number is entered I see a glitch in the screen. It seems like there is a flag of some sort on my phone number.

    Anything containing the words Google or Gmail in the browser address bar is automatically followed or tagged or set for phishing pages.

    If I try to change something or look into the registry/library/etc, there is a flash like a screen shot. I have no idea what that could be but I got better results when I entered these places and erased all traces of Google, Firefox, Chrome, etc. I still have problems with Safari. If I re-download other browsers, I seem to have more problems like they are being used for some sort of different attacking system.

    The generic Gmail security information posted is not good enough. There are important things users can do to protect themselves but they have to do lots of research to find them.

    I am at a loss right now. All my email is being accessed, no matter how many accounts I open. What do I do?

    This is like having a world wide disease that impacts everything from school to work to health.

    Either we don't have the right technology or we don't have the right consequences for these bad people.

    There has got to be a safer alternative product out there.

    How do you stop such attacks?

    Thank you for your help.

    ReplyDelete
  14. Yes, those questions to verify the true owner... Actually, you can ask those questions wrong and still get an access.

    I tried this in "password recovery" process, and they asked me bunch of questions, I intentionally answered all them wrong, except two email contacts (if you know the victom, or via SNS, it's easiest thing to guess, right?)

    All the other questions - password you can remember; the time you open the account; etc, I gave them completely wrong answer.

    But... those two email worked!
    I was able to hijack my own account. I don't even need to go to recovery email account, I could change the password on the spot.

    I tried using different computer, different IP address, different browsers, does not matter.

    All you need is two (may be one) contact. You can leave all the other questions blank or give them wrong answer, the account is yours!

    Does it make you feel safe?

    I wrote to Gmail security team but they don't seem to give a damn about it.

    ReplyDelete

You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.