VB data supports Google's claim to having reduced compromised accounts

Posted by   Virus Bulletin on   Feb 21, 2013

Internet giant may indeed do something right; Yahoo! has a real problem.

Internet giant Google claims that a 'complex risk analysis' using 'more than 120 variables' has reduced the number of compromised accounts on its system by 99.7% since 2011. VB's data suggests that this could indeed be the case.

It is usually good to be skeptical when companies make such bold claims about their own performance. Even putting aside the company's obvious interest in making things appear better than they are, bias easily slips in when one measures one's own performance. After all, from an attacker's point of view, an ideal compromised account is one where no one, including Google, notices it has been compromised - and which thus would not appear in the statistic.

But our own measurements show that Google may have a point when it says it is doing something right - and that Yahoo!, and to a lesser extent Hotmail (now Outlook.com), has a real problem.

For the VBSpam spam filter tests we collect various streams of legitimate emails (since a spam filter that blocks most spam, but which blocks a lot of legitimate email as well, is of little practical use).

However, the legitimate feeds we use do receive the occasional spam email - usually from compromised accounts and typically sent to addresses contained in the compromised accounts' address books. We have noticed a few emails from compromised Gmail accounts among these spam emails, but noticed that Yahoo! emails are far more prevalent. We were initially hesitant to draw conclusions from this: it is well possible that the feeds we receive are skewed towards certain email providers.

Indeed, they are skewed, but towards Gmail, whose messages are far more prevalent among the legitimate feeds. This makes the situation a lot worse for Yahoo!: over the last eight months of testing we have found that, in the legitimate email feeds, about one in 115 emails from the Sunnyvale-based company were spam, compared with fewer than one in 4,800 from Gmail. Hotmail, Microsoft's free webmail service (now Outlook.com), isn't doing particularly well either, with almost 1 in 325 emails being spam.

Although we have not been able to verify whether all webmail accounts seen spamming were compromised legitimate accounts, we could tell that for the majority this was indeed the case. Note that we do not make any claims about the prevalence of the various webmail accounts in overall spam - but spam that is sent indiscriminately to the recipient tends to be relative easy to block and is generally not sent from webmail accounts.

Spam sent from compromised accounts, on the other hand, is notoriously hard to block, especially when the emails are sent to people in the accounts' address books and include links to pages on compromised websites (that typically redirect to the payload on domains controlled by the spammers). Since a significant portion of the links in these emails attempt to install malware (typically via exploit kits such as Blackhole), they are more than a mere nuisance. By reducing the number of compromised accounts, webmail providers thus not only reduce abuse of their own systems, they also help make the Internet a safer place.

It is true that users have an important role to play: by using secure passwords and clean machines, they reduce the chances of their accounts being compromised. Gmail users have a reputation of being more tech-savvy than those using other webmail services, but this alone can't explain the huge difference we see. Yahoo!, and to a slightly lesser extent Microsoft, would thus do well to take a leaf out of Google's book.

More on Google's success against hijacked accounts at the company's blog here. More on the VBSpam tests can be found here.

Posted on 21 February 2013 by Martijn Grooten



Latest posts:

Didn't come to VB2017? Tell us why!

Virus Bulletin is a company - and a conference - with a mission: to further the research in and facilitate the fight against digital threats. To help us in this mission, we want to hear from those who didn't come to Madrid. What is your impression of…

Montreal will host VB2018

Last week, we announced the full details of VB2018, which will take place 3-5 October 2018 at the Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

VB2017 preview: Beyond lexical and PDNS (guest blog)

In a special guest blog post, VB2017 Silver sponsor Cisco Umbrella writes about a paper that researchers Dhia Mahjoub and David Rodriguez will present at the conference this Friday.

Avast to present technical details of CCleaner hack at VB2017

The recently discovered malicious CCleaner version has become one of the biggest security stories of 2017. Two researchers from Avast, the company that had recently acquired CCleaner developer Piriform, will share the results of their investigations…

VB2017 preview: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

We preview the VB2017 paper by Kaspersky Lab researchers Juan Andrés Guerrero-Saade and Costin Raiu on fourth-party collection and its implications for attack attribution.