VB data supports Google's claim to having reduced compromised accounts

Posted by   Virus Bulletin on   Feb 21, 2013

Internet giant may indeed do something right; Yahoo! has a real problem.

Internet giant Google claims that a 'complex risk analysis' using 'more than 120 variables' has reduced the number of compromised accounts on its system by 99.7% since 2011. VB's data suggests that this could indeed be the case.

It is usually good to be skeptical when companies make such bold claims about their own performance. Even putting aside the company's obvious interest in making things appear better than they are, bias easily slips in when one measures one's own performance. After all, from an attacker's point of view, an ideal compromised account is one where no one, including Google, notices it has been compromised - and which thus would not appear in the statistic.

But our own measurements show that Google may have a point when it says it is doing something right - and that Yahoo!, and to a lesser extent Hotmail (now Outlook.com), has a real problem.

For the VBSpam spam filter tests we collect various streams of legitimate emails (since a spam filter that blocks most spam, but which blocks a lot of legitimate email as well, is of little practical use).

However, the legitimate feeds we use do receive the occasional spam email - usually from compromised accounts and typically sent to addresses contained in the compromised accounts' address books. We have noticed a few emails from compromised Gmail accounts among these spam emails, but noticed that Yahoo! emails are far more prevalent. We were initially hesitant to draw conclusions from this: it is well possible that the feeds we receive are skewed towards certain email providers.

Indeed, they are skewed, but towards Gmail, whose messages are far more prevalent among the legitimate feeds. This makes the situation a lot worse for Yahoo!: over the last eight months of testing we have found that, in the legitimate email feeds, about one in 115 emails from the Sunnyvale-based company were spam, compared with fewer than one in 4,800 from Gmail. Hotmail, Microsoft's free webmail service (now Outlook.com), isn't doing particularly well either, with almost 1 in 325 emails being spam.

Although we have not been able to verify whether all webmail accounts seen spamming were compromised legitimate accounts, we could tell that for the majority this was indeed the case. Note that we do not make any claims about the prevalence of the various webmail accounts in overall spam - but spam that is sent indiscriminately to the recipient tends to be relative easy to block and is generally not sent from webmail accounts.

Spam sent from compromised accounts, on the other hand, is notoriously hard to block, especially when the emails are sent to people in the accounts' address books and include links to pages on compromised websites (that typically redirect to the payload on domains controlled by the spammers). Since a significant portion of the links in these emails attempt to install malware (typically via exploit kits such as Blackhole), they are more than a mere nuisance. By reducing the number of compromised accounts, webmail providers thus not only reduce abuse of their own systems, they also help make the Internet a safer place.

It is true that users have an important role to play: by using secure passwords and clean machines, they reduce the chances of their accounts being compromised. Gmail users have a reputation of being more tech-savvy than those using other webmail services, but this alone can't explain the huge difference we see. Yahoo!, and to a slightly lesser extent Microsoft, would thus do well to take a leaf out of Google's book.

More on Google's success against hijacked accounts at the company's blog here. More on the VBSpam tests can be found here.

Posted on 21 February 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.