Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Manual Account Hijacking Rare, But Damaging: Google

A study released this week shows that the number of manual account hijacking cases is small, but such incidents can be distressing to users and they can result in significant financial loss.

A study released this week shows that the number of manual account hijacking cases is small, but such incidents can be distressing to users and they can result in significant financial loss.

While a large majority of account hijackings rely on botnets and are automated, there are cases where attackers spend a lot of time to profile victims and maximize the profit they make without using automation, according to the study conducted by researchers at Google and the University of California, San Diego.

By analyzing manual hijacking cases that occurred at Google between 2011 and 2014, researchers determined that there are only 9 incidents per million Google users per day. Incidents in which the attackers knew the victims or had physical access to their devices were excluded from the study.

Account hijacking starts with the attacker obtaining the victim’s credentials. This can be done through phishing, installing malware on the target’s computer, or by guessing the password that protects the account. However, researchers say phishing attacks are preferred by many cybercriminals since they are cheaper and easier to pull off.

While many people believe phishing is not a very effective technique because fake websites are easy to identify, Google says rogue sites actually work 45% of the time. Even the most obvious fakes deceive 3% of user, the search engine company has found.

Once access to an account is obtained, the attacker profiles it to decide whether or not it’s worth exploiting. According to the study, hackers spend on average three minutes to decide.

The actual exploitation phase consists of collecting sensitive information that can be monetized (e.g. financial information), tricking the victim’s contacts into transferring money to the attacker, or holding the account for ransom.

Advertisement. Scroll to continue reading.

According to Google, roughly 20% of the hijacked accounts are accessed within 30 minutes after the attacker obtains the login credentials.

“Once they’ve broken into an account they want to exploit, hijackers spend more than 20 minutes inside, often changing the password to lock out the true owner, searching for other account details (like your bank, or social media accounts), and scamming new victims,” Elie Bursztein, Anti-Abuse Research Lead at Google, said in a blog post.

As far as attribution is concerned, most of the hijackers originate in China, Ivory Coast, Malaysia, Nigeria, and South Africa, the study shows.

When it comes to restoring access to compromised accounts, Google says it’s not a trivial task. According to study, the most reliable way to recover an account is via SMS, a method that works 81% of time for users who provided a phone number.  Secondary email addresses are also efficient, with a success rate of 75%. Secret questions or manual review of the compromised account also work, but they’re far less successful — the methods have only worked 14% of the time.

The complete study, titled “Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild” is available online.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...