VB data supports Google's claim to having reduced compromised accounts

Posted by   Virus Bulletin on   Feb 21, 2013

Internet giant may indeed do something right; Yahoo! has a real problem.

Internet giant Google claims that a 'complex risk analysis' using 'more than 120 variables' has reduced the number of compromised accounts on its system by 99.7% since 2011. VB's data suggests that this could indeed be the case.

It is usually good to be skeptical when companies make such bold claims about their own performance. Even putting aside the company's obvious interest in making things appear better than they are, bias easily slips in when one measures one's own performance. After all, from an attacker's point of view, an ideal compromised account is one where no one, including Google, notices it has been compromised - and which thus would not appear in the statistic.

But our own measurements show that Google may have a point when it says it is doing something right - and that Yahoo!, and to a lesser extent Hotmail (now Outlook.com), has a real problem.

For the VBSpam spam filter tests we collect various streams of legitimate emails (since a spam filter that blocks most spam, but which blocks a lot of legitimate email as well, is of little practical use).

However, the legitimate feeds we use do receive the occasional spam email - usually from compromised accounts and typically sent to addresses contained in the compromised accounts' address books. We have noticed a few emails from compromised Gmail accounts among these spam emails, but noticed that Yahoo! emails are far more prevalent. We were initially hesitant to draw conclusions from this: it is well possible that the feeds we receive are skewed towards certain email providers.

Indeed, they are skewed, but towards Gmail, whose messages are far more prevalent among the legitimate feeds. This makes the situation a lot worse for Yahoo!: over the last eight months of testing we have found that, in the legitimate email feeds, about one in 115 emails from the Sunnyvale-based company were spam, compared with fewer than one in 4,800 from Gmail. Hotmail, Microsoft's free webmail service (now Outlook.com), isn't doing particularly well either, with almost 1 in 325 emails being spam.

Although we have not been able to verify whether all webmail accounts seen spamming were compromised legitimate accounts, we could tell that for the majority this was indeed the case. Note that we do not make any claims about the prevalence of the various webmail accounts in overall spam - but spam that is sent indiscriminately to the recipient tends to be relative easy to block and is generally not sent from webmail accounts.

Spam sent from compromised accounts, on the other hand, is notoriously hard to block, especially when the emails are sent to people in the accounts' address books and include links to pages on compromised websites (that typically redirect to the payload on domains controlled by the spammers). Since a significant portion of the links in these emails attempt to install malware (typically via exploit kits such as Blackhole), they are more than a mere nuisance. By reducing the number of compromised accounts, webmail providers thus not only reduce abuse of their own systems, they also help make the Internet a safer place.

It is true that users have an important role to play: by using secure passwords and clean machines, they reduce the chances of their accounts being compromised. Gmail users have a reputation of being more tech-savvy than those using other webmail services, but this alone can't explain the huge difference we see. Yahoo!, and to a slightly lesser extent Microsoft, would thus do well to take a leaf out of Google's book.

More on Google's success against hijacked accounts at the company's blog here. More on the VBSpam tests can be found here.

Posted on 21 February 2013 by Martijn Grooten



Latest posts:

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

New paper: Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

In a follow-up to a paper presented at VB2019, Prismo Systems researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting (XSS), and server‑side request…

VB2020 programme announced

VB is pleased to reveal the details of an interesting and diverse programme for VB2020, the 30th Virus Bulletin International Conference.

VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

At VB2019 in London, Jamf's Patrick Wardle analysed the WindTail macOS malware used by the WindShift APT group, active in the Middle East. Today we publish both Patrick's paper and the recording of his presentation.

VB2019 paper: 2,000 reactions to a malware attack – accidental study

At VB2019 cybercrime journalist and researcher Adam Haertlé presented an analysis of almost 2000 unsolicited responses sent by victims of a malicious email campaign. Today we publish both his paper and the recording of his presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.