Google says it is winning the war against Gmail account hijackers

Filed Under: Data loss, Featured, Google, Malware, Phishing

GmailIt was 2011, and if you were a Gmail user you might have found things had begun to turn ugly.

Spam messages, spear-phishing attacks, and bogus "I'm stranded in a foreign country" scams, began to appear in some users' inboxes, defeating Google's anti-spam systems.

The reason why the messages reached their intended targets? They were sent from the legitimate Gmail account of one of your contacts rather than a third party who had never been in touch with you before.

The problem was that it wasn't your friend or colleague who physically sent the message. Rather, a cybercriminal had hijacked their account and sent you the message posing as your email buddy.

Because this tactic was working so well for the spammers, some cybercriminals focused their efforts on stealing databases of usernames and passwords to get into those legitimate Gmail accounts.

People who committed the sin of password reuse on different website accounts made it all the more easy to steal Gmail account login information.

So Google gritted its teeth and got to work - work that's paid off big-time, Google reported this week.

Google Security Engineer Mike Hearn reports in a Google Online Security Blog posting that the company has managed to shrink the number of compromised accounts to practically nil - a 99.7 percent reduction, to be exact - since the peak of hijacking attempts in 2011.

Email graph from Google

Part of the defense is that Google is now performing complex risk analysis to determine whether an account sign-in might be suspicious or risky - say, if it's coming from a country far away from your last sign-in.

If so, it asks simple questions about the account, such as the account's associated phone number, or the answer to a security question.

Google requests account verification

We should all commend Google for squashing the number of compromised accounts, but it's up to all of us to do our part in keeping our accounts safe.

Sophos's Graham Cluley has written some explicit advice on how to protect your Gmail account, and Google suggests the following security-strengthening steps:

  • Use a strong, unique password for your Google account. Graham teaches you how to create easy-to-remember, hard-to-crack passwords in the article I cited above. Otherwise, password management programs can cook up impossible-to-remember, hard-to-crack passwords for you, as well as store them all away where you don't have to think about them. They're God's gift to those with "I will subscribe to anything on the planet" syndrome, such as yours truly.
  • Turn on two-step verification.
  • Update the recovery options on your account, such as your secondary email address and phone number.

Finally, consider whether Gmail is the safest place for your data.

As Graham suggests, a cloud email service may provide less security than your regular work email system, so if you have that option, think of limiting the type of data you send over a web email account.

, , , , , , , , , , , ,

You might like

5 Responses to Google says it is winning the war against Gmail account hijackers

  1. Diane · 961 days ago

    My account and phone were compromised and there is no way I can recover my phone as every time I open a new account, they know and use the new e-mail and password. I have received e-mails from Google and even submitted a credit card number but I never heard of them. So I am left out with a phone that's almost unusable except to phone. Any hint on how I could recover from this?

  2. Thomas · 960 days ago

    I don't like Googles two-step verification system of using one's mobile phone number. Who knows what Google Analytics will do with it, let alone the other outfits that place tracking cookies in one's browser. A strong and unique password is, in my humble opinion, the best defense.

  3. Craig Barraclough · 960 days ago

    Two-Step verification is great, but *please* people, make sure any recovery email address is well protected. Far too often, the password recovery options are the weak link in the chain.

  4. Ceilo Azule · 958 days ago

    The concept of Two-Step verification is great but putting thought into practice is so simple, if when told not to ask for verification on certain machines, I was forced to do so time & time again!

    2 Stars up for the concepts
    3 Stars down for the practical application - ceiloazule

  5. All this work is worthless as long as Google continue to check the box to keep the users logged in by default on the computers they use. Its even checked for the 2 step verification!!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.