An update on our war against account hijackers

Tuesday, February 19, 2013 9:13 AM

Have you ever gotten a plea to wire money to a friend stranded at an international airport? An oddly written message from someone you haven’t heard from in ages? Compared to five years ago, more scams, illegal, fraudulent or spammy messages today come from someone you know. Although spam filters have become very powerful—in Gmail, less than 1 percent of spam emails make it into an inbox—these unwanted messages are much more likely to make it through if they come from someone you’ve been in contact with before. As a result, in 2010 spammers started changing their tactics—and we saw a large increase in fraudulent mail sent from Google Accounts. In turn, our security team has developed new ways to keep you safe, and dramatically reduced the amount of these messages.

Spammers’ new trick—hijacking accounts 
To improve their chances of beating a spam filter by sending you spam from your contact’s account, the spammer first has to break into that account. This means many spammers are turning into account thieves. Every day, cyber criminals break into websites to steal databases of usernames and passwords—the online “keys” to accounts. They put the databases up for sale on the black market, or use them for their own nefarious purposes. Because many people re-use the same password across different accounts, stolen passwords from one site are often valid on others.

With stolen passwords in hand, attackers attempt to break into accounts across the web and across many different services. We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct.

Legitimate accounts blocked for sending spam: Our security systems have dramatically reduced the number of Google Accounts used to send spam over the past few years

How Google Security helps protect your account
Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made.

If a sign-in is deemed suspicious or risky for some reason—maybe it’s coming from a country oceans away from your last sign-in—we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.

Help protect your account
While we do our best to keep spammers at bay, you can help protect your account by making sure you’re using a strong, unique password for your Google Account, upgrading your account to use 2-step verification, and updating the recovery options on your account such as your secondary email address and your phone number. Following these three steps can help prevent your account from being hijacked—this means less spam for your friends and contacts, and improved security and privacy for you.

(Cross-posted from the Official Google Blog)
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.


Frank Tobin said...

I'm a fan of the two-factor authentication Google uses. In encouraging others to use it, I'd love to be able to share statistics indicating its effectiveness. Can you share any numbers regarding the reduction in account compromises among people who use two-factor authentication.

I realize such a number would have selection bias, but it's better than nothing.

Jeff Alhadeff said...

This just happened to one of our users today. I think this group of people should be called Spackers, for Spam and Hackers. They hack, then send spam.

Lucas [NN] said...

Very nice.

Don Travis said...

I just got an email from that said:
Dear Member,

We noticed our security IP-Address detector as been disabled on your account,to avoid account been hacked or interrupted,You need to re-log in on the link below to update your IP-Address Security.

Secure is one of our most important responsibilities..

Click UPDATE NOW for verification.

Gmail Services Team

© 2013 Gmail LLC. All Rights Reserved.
Clicking on the link took me to a Google looking sign on page with the url:

Is this you or another hacking job?

Arerifx TheReds said...

2 STeps authentication,strong password,recovery option..Google still the best email

Beauty Health Finance and Green Editor said...

Well, this has happened to me a number of times now. My account was not only hijacked, but my websites cloned as well.

It has been suggested that some drug addicts hijacked my blog in order to use the Google adsense.

The templates on Blogger may have some flaws as well. On my account, my editing pencil. wrench and other editing tools do not show up, making it difficult to post and edit in my blogs.

Now, people keep getting me mixed up with the drug addicts who hijacked my blogs.

At the present time, it appears that I may be posting on the spoofed or cloned account and someone else has my account or is sharing it.

Google accounts appear to be hijacked often.


Arerifx TheReds said...

Thank you Google,I'll do my best to protect my Google account and I think Google will remain the best

antecedent said...

I use google talk from the MacOS "Messages" application, and I frequently work from a commuter shuttle or remote site (frequently == daily). So basically every time I start Messages, Google flips out about suspicious activity and makes me go throug hthe rigamarole you describe before I can use my account. Is there any way to opt out of this for those of us who simply cannot guarantee an IP address, or do we have to avoid using Google Talk while on the road?

antecedent said...

I use Google Talk via MacOS Messages, and I do this from a laptop that is, on a near daily basis, logged in from strange IP addresses. This results in me having to re-authenticate continuously. I'm wondering if there is some way to opt out of this due to the high volume of address-switching I do, or if Google would advise me to avoid using Google Talk from my laptop?

Alfonso said...

Seriously? Just check how bad written those messages are. They're not even proper English. And that URL has nothing to do with Google. Plus Google never sends emails saying click here to login they always display content on-site.

Bill Shields said...

Thanks! I'm glad you're upping your security. I live up in Calgary, and its nice to know that my online stuff is protected.

zaro said...

Thanks for sharing some useful info related to Google update which will help us to identify the needed security for my site we are all expecting that.

maureen m said...

A prolonged cyber attack targeted me by known woman cracker and IT corporate professional in the UK. After wiping jail broken IPhone (remote) and Mac BookPro, 2 weeks later she cracked
IPhone, ICloud, Apple ID- even after increased anti malware and security. A private investigator was hired after I cleared my name w/ Google following web browser hack to surf terrorist sites. Forensics report today. Perhaps enough evidence will have been obtained to prosecute and ID.

Jassyland said...

I am so upset...I have been locked out of my own account because of two step verification. I disabled it several times before on the same device, however, it always seems to ask for the codes which would be sent via text. The problems I have now are: my phone number has changed because of a recent move (didn't remember to update my Google info when I moved); my tablet device needed to have default settings reset for another issue with my bank and wiped out cache, passwords, etc.; and I have had my account for a long enough time that I could not recall when I opened it or remember who I email frequently because I mainly use it as a source for incoming newsletters, tradeshows, company updates,etc.; why can't there be a more relevant way to properly confirm that I am the true account holder? I have a vast array of personal things stored including drive docs, calendar, and other things I use each day not to mention contacts! There has to be more sensitivity for myself and others in a similar situation. It's very insulting to chase around the world of internet for answers, help, suggestions...and your company staff has been very rude to say I am screwed, no one can help, and that I need to open a new account! Does anyone suggest a good hacker??? What shall I do?