Pierluigi Paganini November 10, 2014

A study published by Google demonstrates that manual phishing attacks are the simplest and most effective method for hacking email accounts.

A study recently published by Google demonstrates that so-called manual phishing attacks are the simplest and most effective method for hijacking users’ email address.

Let’s consider that the manual phishing attacks, as suggested by the name, doesn’t use any automated tool to compromise the user’s account and for this reason it is rare in comparison with other technique of attacks.

Experts at Google revealed that only nine attacks per million users every day adopt the manual phishing technique, considering that the number of Gmail users was more than 425 million users in 2012, meaning that thousands of individuals fall victim manual attacks a day.

Manual phishing attacks are considered time consuming, the hack of a single Gmail account request a considerable amount of time. According to Google, once the attacker gains the access to the account he will spend more than 20 minutes to exploit the account for maximum gain. The first operation made by the attacker is to lock out the legitimate owner, changing the password, as a second step he tries to gather as much information as possible from the account like social media and other email accounts.

“Around 20% of hijacked accounts are accessed within 30 minutes of a hacker obtaining the login info. Once they’ve broken into an account they want to exploit, hijackers spend more than 20 minutes inside, often changing the password to lock out the true owner, searching for other account details (like your bank, or social media accounts), and scamming new victims.”states Google in a blog post.

Google confirms that phishing is the most effective technique to hijack an email account, the hacked accounts are usually recruited to send phishing messages to victim’s contacts present in the address book.

“Most of us think we’re too smart to fall for phishing, but our research found some fake websites worked a whopping 45% of the time. On average, people visiting the fake pages submitted their info 14% of the time, and even the most obviously fake sites still managed to deceive 3% of people. Considering that an attacker can send out millions of messages, these success rates are nothing to sneeze at.”states Google.

” People in the contact list of hijacked accounts are 36 times more likely to be hijacked themselves.” 

Google also tried to track the profile of hackers that run manual phishing attacks, despite it is very hard to identify them, the company states that they operate mainly from China, Ivory Coast, Malaysia, Nigeria and South Africa.

According to the experts at Google, the attackers are professional hackers that approach their work like a full-time job, with regular working days and time.

The attackers running manual phishing attacks demonstrate the capability to adapt their operation to countermeasures implemented by Google, when the company started asking users to verify suspicious activity by confirming their city of residence, the attackers promptly began sending phishing e-mails to obtain the correct information from their victims.

Google explained that several security features can be highly effective in preventing manual phishing attacks, including the two-factor authentication and the recently launched Security Key that will allow clients authentication with a USB stick.

The principal problem is that a limited number of users is aware of cyber threats and too few individuals adopt these tools for the protection of their accounts.

Pierluigi Paganini

Security Affairs –  (manual phishing attacks, Google)