Google: We've Stopped Most Gmail Account Hijacking

Google this week announced that since putting a system in place to check 120 different variables related to online sign-ins, it's reduced the incidence of Gmail account hijackings by 99.7% since they peaked in 2011.

That's welcome news for anyone who's experienced first-hand the joys of having a friend or acquaintance get their webmail account hijacked. Cue "urgent" appeals and fake sob stories about getting mugged in London just hours before being scheduled to return home. "Kindly help me send the money via Western Union Money Transfer to my name and hotel address below," read one widely distributed scam email.

More recently, scammers used compromised webmail accounts to send emails with a bit.ly link that led to a fake -- but real-looking -- careers page at "careers.nbcnews.com-iw9.net" that interwove content stolen from NBC with plugs for work-at-home operations and "home cash success." More often than not, such scams are just fronts for money mule operations.

[ Do you know the warning signs that your identity has been stolen? See Identity Fraud Hits 3-Year High; Costs $21 Billion. ]

According to Google, the principal account-hijacking technique involves attackers using usernames and passwords stolen from other sites -- which may have been purchased on cybercrime forums -- then testing to see if they've been reused for Webmail accounts, thus allowing the grifters to go to work.

"We've seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time," said Google security engineer Mike Hearn in a blog post. "A different gang attempted sign-ins at a rate of more than 100 accounts per second."

Most account takeovers are made by scammers seeking to reliably distribute greater amounts of spam. "Although spam filters have become very powerful -- in Gmail, less than 1% of spam emails make it into an inbox -- these unwanted messages are much more likely to make it through if they come from someone you've been in contact with before," Hearn said. "As a result, in 2010 spammers started changing their tactics -- and we saw a large increase in fraudulent mail sent from Google Accounts."

But scammers aren't the only people intent on hijacking webmail accounts. In 2011, notably, Google warned that hundreds Gmail users -- including senior U.S. government officials and Chinese activists -- had been targeted in account-takeover attacks. In 2012, Google added a warning system to Gmail accounts that announces when a user's account appears to be the target of a state-sponsored account takeover attempt.

Google said its risk assessment system now successfully blocks most of these types of account takeovers. "Every time you sign in to Google, whether via your Web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you," said Hearn, noting that 120 different variables get assessed.

"If a sign-in is deemed suspicious or risky for some reason -- maybe it's coming from a country oceans away from your last sign-in -- we ask some simple questions about your account," he said. "For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner."

This type of adaptive authentication -- asking more questions whenever something looks suspicious -- isn't unique to Google, and is already available off-the-shelf from other security companies, such as RSA, which said its related software is now widely used by financial services firms.

While the risk analysis tools being employed by Google have helped stem account takeovers, to block even more such hacks, Hearn recommended that users enable two-factor authentication for Gmail, create strong passwords and ensure that their account recovery settings include a backup email address and a phone number.