Skip navigation
Google Reveals Alarming Success Rates For Manual Hijacking of Accounts
Urs Hölzle, Google’s senior VP of technical infrastructure at Google, at 2014 Google I/O conference in San Francisco.

Google Reveals Alarming Success Rates For Manual Hijacking of Accounts

Google study finds that hackers located mostly in China, Ivory Coast, Malaysia, Nigeria, and South Africa are much more successful at obtaining account information than expected.


This article originally appeared at The WHIR

A Google study released Thursday found hackers located mostly in China, Ivory Coast, Malaysia, Nigeria, and South Africa are much more successful at obtaining account information than expected. Requests for personal and login information through fake websites works a huge amount of the time, up to 45 percent. The researchers examined Google data from 2011 to 2014 and found people entered information into such sites at the alarming rate of 14 percent.

“Online accounts are inherently valuable resources—both for the data they contain and the reputation they accrue over time. With the advent of the cloud, the most intimate details of our lives are contained on remote servers in a single account,” according to the study. “This makes account theft, or account hijacking, a lucrative monetization vector for miscreants.”

Despite public awareness of phishing tactics and other cyber attacks, hackers are still able to get enough information to access email accounts and eventually, bank accounts. Using phishing, malware or simply guessing the account password hackers are able to gain control of an email account. Within 30 minutes of the hacker obtaining the target’s login, they are already changing passwords to lock the owner out and looking for financial account details they can exploit.

With a number of recent high profile hacks at JP Morgan, Home Depot, Kmart and Dairy Queen, it’s not surprising that a recent Harris poll found American’s concern over cybersecurity is even higher than worries over national security.

While most previous studies have focused on attacks by automated botnets or professional spamming infrastructure, Google chose to focus on manual hijacking. “Manual hijackers spend significant non-automated effort on profiling victims and maximizing the profit—or damage—they can extract from a single credential,” the report explains. “In contrast to automated hijacking, manual hijacking is exceedingly rare. We observe an average of 9 incidents per million Google users per day. However, the damage manual hijackers incur is far more severe and distressing to users and can result in significant financial loss.”

If the information they find isn’t lucrative enough, they quickly move on. “The existence of this profiling phase is one of the most surprising insights we gained by fighting manual hijackers,” said the researchers. “Instead of blindly exploiting every account, hijackers take on average 3 minutes to assess the value of the account before deciding to proceed.”

The study was able to link manual hijacking with phishing, which has has been anecdotally perceived as the main way hackers steal user credentials. Although app stores and social networking logins are sometimes the focus of hackers, they usually concentrate efforts on the victims’ email 35 percent and bank information 21 percent of the time.

Fortunately there is a high rate of account recovery when backup systems are in place. When a phone number is given, SMS was used to recover accounts at a rate of 81 percent while using a secondary email is successful three-quarters of the time. Without these systems in place, account recovery drops to 14 percent when secret questions or manual review are utilized.

Google has several strategies in place to detect suspicious activity on its side of the equation. For users, they recommend the best strategies to prevent and mitigate this type of hack are two-factor authentication and account recovery strategies. “Iron tight Account recovery–Finally we can’t stress enough how important it is to invest into having a very secure and reliable account recovery system. We continuously improve our recovery process to ensure that it is easy for legitimate users to get their account back while keeping hijackers out,” said the researchers. “Developing novel ways to validate user identity both for login challenge and account recovery purpose is something that we view as critical and we would love to see more research done in this space.”

This article originally appeared at:

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.