Google reveals inner workings of manual hijacking

In Google's study, the firm gets up close and personal with hijackers that target not businesses or governments, but you personally.

Our digital identity is more important than ever. The data that can be traced back to us can include social media contacts, messages, our work details, bank accounts and purchase patterns.
So, it's no surprise when a recent poll in the US found that citizens were more concerned about online accounts being hijacked than their houses being robbed -- if you have insurance, goods can be replaced. If you lose an online account, you're at risk not only of losing the account forever -- but the heartbreak of identity theft.
One of the most common methods to take control of an account is mass hijacking. In this case, an automated process uses compromised systems to send out countless spam messages, malware, and phishing campaigns to add more hijacked accounts to the roster. In other cases, state-sponsored attacks target political institutions, universities, governments and corporations to access accounts and steal sensitive data or act as a gateway to spy on networks.
However, there is another category -- dubbed by Google "manual hijacking." What makes them different? These attacks are personal, time-consuming, and a cybercriminal is dedicated to infiltrating an individual's accounts -- often with the aim of plundering a person's bank account.
The tech giant says these account hijacks are rare -- with only nine incidents per mission users per day -- but they can be devastating to the victim.
In a new study, Google decided to explore this tactic further, looking at the sources of phishing emails, websites, and how these cybercriminals operate.
In these cases, we're not talking about remote, impersonal servers, brute-force attacks or phishing campaigns sent to thousands. Instead, imagine individuals working business hours, rifling through your accounts and tempting you to hand over your credentials for seemingly legitimate purposes.
A phishing email, crafted for you, can be far more believable than a supposedly long-lost uncle in Africa or a congratulatory note telling you you've won the Spanish lottery. Password guesses and malware installation were also popular methods used to access an account, according to the firm's researchers.
In addition, tactics change frequently. As an example, Google said that once the company started asking people which city they most frequently logged in most from, hijackers "almost immediately started phishing for the answers."
Once a hacker has obtained a single credential, around 20 percent of accounts are accessed within 30 minutes. This single point of entry into your life is then barricaded against your entry by changing the details, before a search of other links begins -- such as banking and social media accounts.
The next step? The cyberattacker uses your account and credentials to send out phishing emails to those in your address book. Since many in your network are liable to trust you -- and this happened last week to me through a PR contact whose account was taken over -- they may be more susceptible to seemingly innocent links and downloads, which monetizes the effort required in manual hijacking.
According to the paper (.PDF), many of these hijackers appear to be working out of China, the Ivory Coast, Malaysia, Nigeria and South Africa. To keep these attacks as legitimate-looking as possible, campaigns are organized by language, so French-speakers work on the French community, for example.
While we often consider ourselves too smart to fall for such lures, Google found that some malicious websites were effective 45 percent of time, with people submitting their details 14 percent of the time -- and even the most 'obviously' fake websites still managed to fool 3 percent of us.
When cyberattacks can send out millions of messages, this figure is rather concerning.
Rare manual hijacking cases may be, but severe they certainly are -- and how are we to protect against them?
Google says the study's findings have been used to implement changes in the firm's account security settings and systems, but in the end, it is up to us to maintain our own levels of security. First of all, change your password frequently, and don't give in to easily-remembered passwords or patterns like QWERTY1, Jesus or ninja. Humans are more similar to each other than we'd like to believe, and if its easy for us to remember, it is easy for someone to crack.
Secondary levels of verification are also useful. This does mean you have to hand over your phone number or another email address to companies like Google and PayPal, but in the end, this does give account access a second step which makes brute-force password cracking on its own less successful. In addition, if you do lose your account, you do have a way to verify your identity and potentially wrestle control back.