Hackers get personal with ‘manual hijacking,’ Google finds

A sample phishing page used to steal account information is made to look like the real thing. A new study says groups of professionals hackers sort through individual accounts to determine their worth and exploit them.

When hackers target Google users’ accounts, they get a lot closer than you might think, the company says.

Typically, automated spam bots send out messages and use hacked accounts to send out spam en masse. But in a study released Thursday, Google looked at “manual hijacking” for the first time.

With this type of hack, the attack is far more personal: Manual hijackers are groups of professionals who spend time going through accounts one by one to determine their worth and exploit them.

Though rare — only nine incidents per million users per day were reported — the attacks are severe, often pulling a user’s bank records or targeting the account’s contact list through phishing. About 20% of hacked accounts are broken into within 30 minutes of an attacker receiving login information, the report said.


“They spend three minutes going though your account to determine if it’s valuable, and if they determine it’s valuable they spend up to 20 minutes and spam your contacts,” said Matt Kallman, a Google representative. “They’ll say you’ve been mugged or that you need money wired.”

One fake email, for example, said: “We were mugged last night in an alley by a gang of thugs on our way back from shopping, one of them had a knife poking my neck for almost two minutes and everything we had on us including my cell phone, credit cards were all stolen, quite honestly it was beyond a dreadful experience.”

Contacts in hacked users’ address books were 36 times more likely to be hijacked, the study said. Phishing hacks also targeted victims’ “app stores and social networking credentials,” the report said.

Google’s study comes as Americans increasingly express fears over hacking. An October Gallup poll found 69% of Americans were more afraid of being hacked or having their credit card information stolen than of any other crime.


While most think they are savvy enough to recognize a phishing page, some fake websites worked as much as 45% of the time. The phishing sites, which look much like Google’s actual login pages, worked 14% of the time on average.

Most hackers work from China, Ivory Coast, Malaysia, Nigeria and South Africa, the Mountain View, Calif., company found.

Because manual hijackers quickly change their tactics to adapt to Google’s changing security measures, the company recommends securing accounts with two-step verification as well as providing a backup phone number or a secondary email address.

Follow me on Twitter: @ParviniParlance