The state of hacked accounts

Most users get hacked at high rates even when they do not think they are engaging in risky behavior, with 62% unaware of how their accounts had been compromised, according to Commtouch.

The increased preference for compromised accounts is illustrated by the graph below which compares the percentage of spam received over sample periods in Q2 and Q3 2011, where the “from” field includes “Gmail” or “Hotmail.”

The results of a survey presenting statistics on the theft, abuse and eventual recovery of Gmail, Yahoo, Hotmail and Facebook accounts, shows that:

• Less than one-third of users noticed their accounts had been compromised, with over 50% relying on friends to point out their stolen accounts.
• 15% of users thought their credentials were stolen after they used a public Internet terminal or WiFi network.
• One in eight hijacked accounts were used for a phony distress email scam that asks friends to wire funds to a foreign country, and over half of the accounts were used to send spam.

“Commtouch’s poll reveals that more than two-thirds of all compromised accounts are used to send spam and scams,” said Amir Lev, Commtouch’s CTO. “This is not surprising, as cybercriminals can improve their email delivery rates by sending from trusted domains such as Gmail, Yahoo, and Hotmail, and enhance their open and click-through rates by sending from familiar senders.”

Each of the large Webmail providers (Gmail, Yahoo, Hotmail and Facebook) attracted in the range of 15 to 27% of the attention from cybercriminals. This demonstrates that the value of a compromised account is in the “clean” IP address, rather than the specific domain of the address. From this point of view, all accounts have a similar value since it is from a well-known domain. Among those who responded “other” were users of AOL, Comcast and several other providers.

he majority of survey respondents – 62% – were not sure how their account was compromised, indicating that many people typically engage in risky online behavior without realizing it.

It is not always easy to figure out how an account gets compromised and retracing steps doesn’t always help. None of the respondents believed they had been phished or had been victims of a drive-by download (by following a phony link). It is quite likely that many of the victims simply used easy-to-guess passwords. 15% recalled having used a public Internet terminal or public WiFi prior to the hack.

Legitimate user Webmail and Facebook accounts are a valuable prize for spammers and scammers. The use of these for spam and scams is expected to increase and users should therefore take basic precautions when they access these in public domains as well as observing sound password management.

The complete report is available in PDF format here.