Google warns of an increase in attempted account hijackings
More spammers are trying to break into legitimate accounts, the company says. But Google is adapting to their methods.
The New York Times' report Monday of state-sponsored hacking in China drew new attention to the sophisticated techniques that would-be infiltrators use to gain access to victims' accounts. But it's not just China, Google said today -- the techniques used against U.S. government agencies and corporations are being used increasingly by hackers around the world.
"Compared to five years ago, more scams [and] illegal, fraudulent, or spammy messages today come from someone you know," security engineer Mike Hearn said in a blog post. "Although spam filters have become very powerful -- in Gmail, less than 1 percent of spam e-mails make it into an in-box -- these unwanted messages are much more likely to make it through if they come from someone you've been in contact with before. As a result, in 2010 spammers started changing their tactics -- and we saw a large increase in fraudulent mail sent from Google Accounts."
Google says that to get around spam filters, spammers are breaking into legitimate accounts and sending mail to that account's contacts. And the attacks can be quite serious.
"We've seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time," Hearn wrote. "A different gang attempted sign-ins at a rate of more than 100 accounts per second."
Google said it resists such incursions using a "complex risk analysis" whenever someone tries to sign into an account. More than 120 variables determine whether the account is opened using a simple username and password or whether Google will ask follow-up questions, such as what phone number is associated with the account. Since it began using these techniques, compromised accounts have fallen 99.7 percent since their peak in 2011.
The company recommends users take their own steps to secure their accounts: use two-step verification, and set up recovery options. Even that might not keep the most sophisticated hackers at bay, but it's a start.