Feeds

Yahoo! and! Microsoft! have! long! way! to! go! in! account! hijack! fight!

Google hardly ever spaffs out spam anymore - researchers

Reducing security risks from open source software

Microsoft and Yahoo! are way behind Google in fighting account hijacking, according to security experts.

Earlier this week Google said that "complex risk analysis" featuring "more than 120 variables" had reduced the number of compromised accounts on its system by 99.7 per cent, since the problem peaked in 2011. The claim is credible, according to Virus Bulletin anti-spam test director Martijn Grooten. But it looks like its rival providers are still battling to keep the account hijackers away - to the extent that the accounts of the two webmail providers are now a great deal more likely to be hijacked.

"Our own measurements show that Google may have a point when it says it is doing something right - and that Yahoo!, and to a lesser extent Hotmail (now Outlook.com), has a real problem," Grooten explains in a blog post.

The VBSpam spam filter tests involve the collection of various streams of legitimate emails (since a spam filter that blocks most spam, but which blocks a lot of legitimate email as well, is of little practical use).

However, the legitimate feeds we use do occasionally feature spam email - usually from compromised accounts and typically sent to addresses contained in the compromised accounts' address books. We have noticed a few emails from compromised Gmail accounts among these spam emails, but noticed that Yahoo! emails are far more prevalent.

Over the last eight months of testing Virus Bulletin found that, in the legitimate email feeds, about one in 115 emails from the Yahoo! were spam, compared with fewer than one in 4,800 from Gmail. Hotmail, Microsoft's free webmail service (now Outlook.com), features one in 325 spam emails in legitimate feeds.

In the majority of cases, the spamming is coming from compromised legitimate accounts. So Virus Bulletin's stats suggest that Yahoo! and MS need to do more to clamp down on account hijacking, perhaps by adopting some of the approaches used successfully by Google.

This is a problem not least because spam sent from compromised accounts "is notoriously hard to block, especially when the emails are sent to people in the accounts' address books and include links to pages on compromised websites (that typically redirect to the payload on domains controlled by the spammers)," according to Grooten.

He adds: "A significant portion of the links in these emails attempt to install malware (typically via exploit kits such as Blackhole), they are more than a mere nuisance. By reducing the number of compromised accounts, webmail providers thus not only reduce abuse of their own systems, they also help make the internet a safer place," he concluded.

Users can also help themselves by using secure passwords and trying to make sure their systems don't get infected by malware but a big slice of the responsibility falls on webmail providers.

Google is doing something right - and Virus Bulletin figures tend to confirm that. "Blocking this kind of stuff is tricky, I do wonder if they can improve much more," Grooten said.

Grooten added the caveat that the prices for hacked Gmail accounts on underground market don't appear to have experienced significant price increase and this is odd in the context of supply dropping by a factor of 300.

What is clear is that Yahoo! and Microsoft aren't doing as well as Google in combating the hijacking problem. Some of this might be explained by different demographics and hidden bias in Virus Bulletin stats, but not the wide difference in hijack-related spam incidents between Gmail and its two main webmail rivals.

"Gmail users have a reputation of being more tech-savvy than those using other webmail services, but this alone can't explain the huge difference we see. Yahoo!, and to a slightly lesser extent Microsoft, would thus do well to take a leaf out of Google's book," Grooten said. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.