Google and the University of California, San Diego conducted a study to analyze the effectiveness of email scams. The study ran from 2011 to 2014. They explored how criminals acquire credentials of their victims, how criminals monetized the account credentials and how Google gave control back to the victim.
They found accounts were hijacked most often through phishing. Most of the hijacking attempts came from China, Ivory Coast, Malaysia, Nigeria, and South Africa based on the geolocation of their ip addresses. Criminals attempted to access 20% the accounts within half an hour. . Victim’s accounts were found to be restored through SMS 81% of the time. A secondary email address helped 75% of the time. Without these to be relied on, they need to rely on secret questions and the causes the success rate to fall to 14%.
The ways criminals manually hijack an account consists of phishing the user’s credentials, installing malware on the machine to steal the credentials or trying to guess their password. The study was limited to phishing emails sent to victims and specifically to 100 emails selected at random from 5000 emails reported by users. They also used phishing pages that were detected by SafeBrowsing. They found that once they are into the account, the contacts are also targeted.
Of the hundred phishing emails studied January 2014, 62 of them contained urls that pointed to pages designed to impersonate a well-known site to trick users into putting in their credentials. The other 38 emails asked for users to reply to the email with their credentials. Since the emails with the links go to the page from the email itself, they found there wasn’t a referring website when they were tracking which confirmed when they were clicked on.
One surprise is that the most common email addresses being phished had the .edu top domain. The study reported that it was possibly due to schools having less robust spam filters and more social networks being used by the students.
The study estimated that 13.7% of visitors complete the web forms used in phishing, higher than they thought it would be. In order to get some data, they submitted 200 fake credentials into a random sample of phishing pages that asked for Google credentials. They recorded the times so they could follow the response times. They found 20% of the fake accounts were accessed within half an hour and 50% within 7 hours. Once logged in, they spent an average of 3 minutes to assess the value of the account before exploiting it. The criminals would look through email history for the victim’s banking information or what they flagged as important.
The hijackers would spend some time going through emails and contacts to see how they could monetize the account. They found some of the scams to consist of story to pull at people’s heartstrings in order to try to make some money.
What you can do:
Use 2-factor login. Check your account often. Have backup email address or SMS number available for account recovery.