Feeds

Yahoo! and! Microsoft! have! long! way! to! go! in! account! hijack! fight!

Google hardly ever spaffs out spam anymore - researchers

The Power of One eBook: Top reasons to choose HP BladeSystem

Microsoft and Yahoo! are way behind Google in fighting account hijacking, according to security experts.

Earlier this week Google said that "complex risk analysis" featuring "more than 120 variables" had reduced the number of compromised accounts on its system by 99.7 per cent, since the problem peaked in 2011. The claim is credible, according to Virus Bulletin anti-spam test director Martijn Grooten. But it looks like its rival providers are still battling to keep the account hijackers away - to the extent that the accounts of the two webmail providers are now a great deal more likely to be hijacked.

"Our own measurements show that Google may have a point when it says it is doing something right - and that Yahoo!, and to a lesser extent Hotmail (now Outlook.com), has a real problem," Grooten explains in a blog post.

The VBSpam spam filter tests involve the collection of various streams of legitimate emails (since a spam filter that blocks most spam, but which blocks a lot of legitimate email as well, is of little practical use).

However, the legitimate feeds we use do occasionally feature spam email - usually from compromised accounts and typically sent to addresses contained in the compromised accounts' address books. We have noticed a few emails from compromised Gmail accounts among these spam emails, but noticed that Yahoo! emails are far more prevalent.

Over the last eight months of testing Virus Bulletin found that, in the legitimate email feeds, about one in 115 emails from the Yahoo! were spam, compared with fewer than one in 4,800 from Gmail. Hotmail, Microsoft's free webmail service (now Outlook.com), features one in 325 spam emails in legitimate feeds.

In the majority of cases, the spamming is coming from compromised legitimate accounts. So Virus Bulletin's stats suggest that Yahoo! and MS need to do more to clamp down on account hijacking, perhaps by adopting some of the approaches used successfully by Google.

This is a problem not least because spam sent from compromised accounts "is notoriously hard to block, especially when the emails are sent to people in the accounts' address books and include links to pages on compromised websites (that typically redirect to the payload on domains controlled by the spammers)," according to Grooten.

He adds: "A significant portion of the links in these emails attempt to install malware (typically via exploit kits such as Blackhole), they are more than a mere nuisance. By reducing the number of compromised accounts, webmail providers thus not only reduce abuse of their own systems, they also help make the internet a safer place," he concluded.

Users can also help themselves by using secure passwords and trying to make sure their systems don't get infected by malware but a big slice of the responsibility falls on webmail providers.

Google is doing something right - and Virus Bulletin figures tend to confirm that. "Blocking this kind of stuff is tricky, I do wonder if they can improve much more," Grooten said.

Grooten added the caveat that the prices for hacked Gmail accounts on underground market don't appear to have experienced significant price increase and this is odd in the context of supply dropping by a factor of 300.

What is clear is that Yahoo! and Microsoft aren't doing as well as Google in combating the hijacking problem. Some of this might be explained by different demographics and hidden bias in Virus Bulletin stats, but not the wide difference in hijack-related spam incidents between Gmail and its two main webmail rivals.

"Gmail users have a reputation of being more tech-savvy than those using other webmail services, but this alone can't explain the huge difference we see. Yahoo!, and to a slightly lesser extent Microsoft, would thus do well to take a leaf out of Google's book," Grooten said. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.