Google says it is winning the war against Gmail account hijackers


GmailIt was 2011, and if you were a Gmail user you might have found things had begun to turn ugly.

Spam messages, spear-phishing attacks, and bogus “I’m stranded in a foreign country” scams, began to appear in some users’ inboxes, defeating Google’s anti-spam systems.

The reason why the messages reached their intended targets? They were sent from the legitimate Gmail account of one of your contacts rather than a third party who had never been in touch with you before.

The problem was that it wasn’t your friend or colleague who physically sent the message. Rather, a cybercriminal had hijacked their account and sent you the message posing as your email buddy.

Because this tactic was working so well for the spammers, some cybercriminals focused their efforts on stealing databases of usernames and passwords to get into those legitimate Gmail accounts.

People who committed the sin of password reuse on different website accounts made it all the more easy to steal Gmail account login information.

So Google gritted its teeth and got to work – work that’s paid off big-time, Google reported this week.

Google Security Engineer Mike Hearn reports in a Google Online Security Blog posting that the company has managed to shrink the number of compromised accounts to practically nil – a 99.7 percent reduction, to be exact – since the peak of hijacking attempts in 2011.

Email graph from Google

Part of the defense is that Google is now performing complex risk analysis to determine whether an account sign-in might be suspicious or risky – say, if it’s coming from a country far away from your last sign-in.

If so, it asks simple questions about the account, such as the account’s associated phone number, or the answer to a security question.

Google requests account verification

We should all commend Google for squashing the number of compromised accounts, but it’s up to all of us to do our part in keeping our accounts safe.

Sophos’s Graham Cluley has written some explicit advice on how to protect your Gmail account, and Google suggests the following security-strengthening steps:

  • Use a strong, unique password for your Google account. Graham teaches you how to create easy-to-remember, hard-to-crack passwords in the article I cited above. Otherwise, password management programs can cook up impossible-to-remember, hard-to-crack passwords for you, as well as store them all away where you don’t have to think about them. They’re God’s gift to those with “I will subscribe to anything on the planet” syndrome, such as yours truly.
  • Turn on two-step verification.
  • Update the recovery options on your account, such as your secondary email address and phone number.

Finally, consider whether Gmail is the safest place for your data.

As Graham suggests, a cloud email service may provide less security than your regular work email system, so if you have that option, think of limiting the type of data you send over a web email account.