Google Experts Caution Against Account Hijackers, Phishing Schemes

Chuck Bednar for – Your Universe Online
With a person’s online identity becoming increasingly more important, Google is shedding light on an often overlooked form of cybercrime known as “manual hijacking,” in which a professional hacker invests considerable time and money exploiting the account of a single victim – often causing tremendous financial loss to that individual.
In a new blog entry posted Thursday, Google’s anti-abuse research team head Elie Bursztein explained that these types of attacks are far more rare than state-sponsored cyber attacks or mass hijackings, averaging only nine incidents per million users each day. However, he warned that the consequences of such attacks are often “severe.”
“Manual hijackers often get into accounts through phishing: sending deceptive messages meant to trick you into handing over your username, password, and other personal info,” Bursztein explained. “For this study, we analyzed several sources of phishing messages and websites, observing both how hijackers operate and what sensitive information they seek out once they gain control of an account.”
Among the things that he and his colleagues discovered was that, despite the common perception among users that they are too smart to fall victim to phishing schemes, such attacks worked a surprising 45 percent of the time. People visiting these fake websites submitted their information 14 percent of the time, and even the most obviously fraudulent pages still managed to deceive roughly three percent of all phishing victims.
Furthermore, Google found that approximately 20 percent of all hijacked accounts were accessed within 30 minutes of a hacker obtaining the login info, and that once they successfully crack an account, hijackers typically spend at least 20 minutes inside, often changing passwords to lock out the actual account owners, searching for other account details (such as bank accounts and social media information) and targeting new victims.
“Hijackers then send phishing emails from the victim’s account to everyone in his or her address book. Since your friends and family think the email comes from you, these emails can be very effective. People in the contact list of hijacked accounts are 36 times more likely to be hijacked themselves,” Bursztein explained, noting that hijackers “quickly change their tactics…almost immediately” in response to new security measures.
Bursztein’s warning comes in the wake of a recent Gallup poll which found that Americans are more concerned about having their computers and/or smartphones hacked and their credit card information swiped than having their homes broken into, having their cars stolen, being targeted by terrorists, or being the victim of a sexual assault.
According to Damon Beres of The Huffington Post, the findings reported by Google’s security team are a part of a joint research project conducted with the University of California, San Diego (UCSD), in which they reviewed a random sample of 100 phishing websites created through Google Forms and caught by Google’s Safe Browsing system to gain new insights into how such scams actually worked.
Google’s research also revealed that most of these attacks originate from China, the Ivory Coast, Malaysia, Nigeria and South Africa, according to ZDNet’s Charlie Osborne. In order to keep the attacks as legitimate-looking as possible, the campaigns are organized by language, Osborne noted – meaning that, for example, French-speakers work on French-speaking targets. Even though these attacks are rare, she said that there are ways for computer users to protect themselves.
While Google said that their research has been “used to implement changes in the firm’s account security settings and systems,” Osborne noted that “in the end, it is up to us to maintain our own levels of security.” To that end, she says, all users should frequently change their passwords and avoid using easily-remembered ones. People are “more similar to each other” than they realize, she said, and “if it’s easy for us to remember, it is easy for someone to crack.”
“Secondary levels of verification are also useful,” the ZDNet reporter added. “This does mean you have to hand over your phone number or another email address to companies like Google and PayPal, but in the end, this does give account access a second step which makes brute-force password cracking on its own less successful. In addition, if you do lose your account, you do have a way to verify your identity and potentially wrestle control back.”

Infographic Courtesy Google
Follow redOrbit on Twitter, Facebook and Pinterest.