Manual Account Hijacking Rare, But Damaging: Google

A study released this week shows that the number of manual account hijacking cases is small, but such incidents can be distressing to users and they can result in significant financial loss.

While a large majority of account hijackings rely on botnets and are automated, there are cases where attackers spend a lot of time to profile victims and maximize the profit they make without using automation, according to the study conducted by researchers at Google and the University of California, San Diego.

By analyzing manual hijacking cases that occurred at Google between 2011 and 2014, researchers determined that there are only 9 incidents per million Google users per day. Incidents in which the attackers knew the victims or had physical access to their devices were excluded from the study.

Account hijacking starts with the attacker obtaining the victim’s credentials. This can be done through phishing, installing malware on the target’s computer, or by guessing the password that protects the account. However, researchers say phishing attacks are preferred by many cybercriminals since they are cheaper and easier to pull off.

While many people believe phishing is not a very effective technique because fake websites are easy to identify, Google says rogue sites actually work 45% of the time. Even the most obvious fakes deceive 3% of user, the search engine company has found.

Once access to an account is obtained, the attacker profiles it to decide whether or not it’s worth exploiting. According to the study, hackers spend on average three minutes to decide.

The actual exploitation phase consists of collecting sensitive information that can be monetized (e.g. financial information), tricking the victim’s contacts into transferring money to the attacker, or holding the account for ransom.

According to Google, roughly 20% of the hijacked accounts are accessed within 30 minutes after the attacker obtains the login credentials.

“Once they’ve broken into an account they want to exploit, hijackers spend more than 20 minutes inside, often changing the password to lock out the true owner, searching for other account details (like your bank, or social media accounts), and scamming new victims,” Elie Bursztein, Anti-Abuse Research Lead at Google, said in a blog post.

As far as attribution is concerned, most of the hijackers originate in China, Ivory Coast, Malaysia, Nigeria, and South Africa, the study shows.

When it comes to restoring access to compromised accounts, Google says it’s not a trivial task. According to study, the most reliable way to recover an account is via SMS, a method that works 81% of time for users who provided a phone number.  Secondary email addresses are also efficient, with a success rate of 75%. Secret questions or manual review of the compromised account also work, but they’re far less successful — the methods have only worked 14% of the time.

The complete study, titled “Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild” is available online.