While rare, manual account hijacking is more damaging
Online accounts are a valuable resource for scammers: not only do they often contain additional personal and financial information about their owners, but they are also a great staging point for additional attacks. As the results of recent research by Google showed, people in the contact list of hijacked accounts are 36 times more likely to be hijacked themselves.
Account hijacking is usually an automated process for cyber crooks. More often than not potential targets receive spam emails that lead to fake login phishing pages where some users submit their login credentials, which are then collected by the criminals, and misused to hijack accounts and send spam email through them to the victim’s contacts or other potential targets.
A group of Google and University of California researchers have perused information about account hijacking incidents that occurred at Google between 2011-2014, but have concentrated on so called manual hijacking.
It admittedly happens rarely – 9 incidents per million users per day – but are more damaging for the victim.
“Manual hijackers spend significant non-automated effort on profiling victims and maximizing the profit—or damage—they can extract from a single credential,” the researcher noted in their paper.
They discovered that:
- Phishing requests target victims’ email (35%) and banking institutions (21%) accounts, as well as their app stores and social networking credentials
- Most of the manual hijackers appear to originate from China, Ivory Coast, Malaysia, Nigeria, Venezuela and South Africa.
- Hijackers are quick to adapt to new security measures
- Hijackers take on average 3 minutes to assess the value of the account before deciding to use it or abandon it.
- “Around 20% of hijacked accounts are accessed within 30 minutes of a hacker obtaining the login info,” Elie Bursztein, head of the anti-abuse research team at Google, explained. “Once they’ve broken into an account they want to exploit, hijackers spend more than 20 minutes inside, often changing the password to lock out the true owner, searching for other account details (like your bank, or social media accounts), and scamming new victims.”
Instead of sending out random spam emails, the attackers will often try to impersonate the rightful owner of the account and try to trick the victim’s contacts into transferring money to them. They occasionally also hold the account for ransom.
The researchers also found circumstantial evidence that seems to point to the fact that the hijackers work in organized groups, are on a tight daily schedule, and use the same approach and techniques.
When it comes to legitimate users recovering their hijacked Google accounts, the SMS verification and email recovery options are the most effective. But the best thing users can currently do prevent the hijacking in the first place is to set up a second authentication factor.