Feeds

Yahoo! and! Microsoft! have! long! way! to! go! in! account! hijack! fight!

Google hardly ever spaffs out spam anymore - researchers

Protecting against web application threats using SSL

Microsoft and Yahoo! are way behind Google in fighting account hijacking, according to security experts.

Earlier this week Google said that "complex risk analysis" featuring "more than 120 variables" had reduced the number of compromised accounts on its system by 99.7 per cent, since the problem peaked in 2011. The claim is credible, according to Virus Bulletin anti-spam test director Martijn Grooten. But it looks like its rival providers are still battling to keep the account hijackers away - to the extent that the accounts of the two webmail providers are now a great deal more likely to be hijacked.

"Our own measurements show that Google may have a point when it says it is doing something right - and that Yahoo!, and to a lesser extent Hotmail (now Outlook.com), has a real problem," Grooten explains in a blog post.

The VBSpam spam filter tests involve the collection of various streams of legitimate emails (since a spam filter that blocks most spam, but which blocks a lot of legitimate email as well, is of little practical use).

However, the legitimate feeds we use do occasionally feature spam email - usually from compromised accounts and typically sent to addresses contained in the compromised accounts' address books. We have noticed a few emails from compromised Gmail accounts among these spam emails, but noticed that Yahoo! emails are far more prevalent.

Over the last eight months of testing Virus Bulletin found that, in the legitimate email feeds, about one in 115 emails from the Yahoo! were spam, compared with fewer than one in 4,800 from Gmail. Hotmail, Microsoft's free webmail service (now Outlook.com), features one in 325 spam emails in legitimate feeds.

In the majority of cases, the spamming is coming from compromised legitimate accounts. So Virus Bulletin's stats suggest that Yahoo! and MS need to do more to clamp down on account hijacking, perhaps by adopting some of the approaches used successfully by Google.

This is a problem not least because spam sent from compromised accounts "is notoriously hard to block, especially when the emails are sent to people in the accounts' address books and include links to pages on compromised websites (that typically redirect to the payload on domains controlled by the spammers)," according to Grooten.

He adds: "A significant portion of the links in these emails attempt to install malware (typically via exploit kits such as Blackhole), they are more than a mere nuisance. By reducing the number of compromised accounts, webmail providers thus not only reduce abuse of their own systems, they also help make the internet a safer place," he concluded.

Users can also help themselves by using secure passwords and trying to make sure their systems don't get infected by malware but a big slice of the responsibility falls on webmail providers.

Google is doing something right - and Virus Bulletin figures tend to confirm that. "Blocking this kind of stuff is tricky, I do wonder if they can improve much more," Grooten said.

Grooten added the caveat that the prices for hacked Gmail accounts on underground market don't appear to have experienced significant price increase and this is odd in the context of supply dropping by a factor of 300.

What is clear is that Yahoo! and Microsoft aren't doing as well as Google in combating the hijacking problem. Some of this might be explained by different demographics and hidden bias in Virus Bulletin stats, but not the wide difference in hijack-related spam incidents between Gmail and its two main webmail rivals.

"Gmail users have a reputation of being more tech-savvy than those using other webmail services, but this alone can't explain the huge difference we see. Yahoo!, and to a slightly lesser extent Microsoft, would thus do well to take a leaf out of Google's book," Grooten said. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.