Manual Account Hijacking: When It Gets Personal

The vast majority of account hijacking attempts are an automated variety running on botnets.  Recently Google released a whitepaper that takes a look at a less common, but more damaging threat – manual account hijacking.  The distinction here is that the affected account is hijacked by a human rather than a machine, and then is exploited for maximum revenue generation by the cyber criminal.

As with the vast majority of all cyber-exploits, this one starts with a phishing email.  The email presents a plausible problem that can be resolved by either replying to the email with user name and password or by clicking on a link to a fake web page where the login credentials are supplied by the victim and then forwarded to the hijacker.  One of the surprising finds in the Google report was that the response time between the point at which the victim responded, and the hijacker to control of the account was in some cases as low as 30 minutes (20%) to 7 hours (50%).  The other surprising take away is that these scammers are working traditional 8 hour days with fixed start and stop times and a predictable lunch break of about an hour.  So for these guys – it’s a job!

The most frequently hijacked account is your email account, followed by banking, app store, and social networks.  The reason email tops the list is that the attacker can read the email to further research their victim, search store email for valuable information or other logon credentials, use it as a platform for requesting password resets of other accounts, and harvesting your email contacts to target them with the familiar “I’ve been mugged” money request emails. 

Google and many other email service providers are using sophisticated heuristics to detect these sorts of exploits, so if you get an email or SMS text message from your email service provider about password changes or suspicious account activity, it is worth it to immediately take action to recover your account and change the password.  The longer your account is in the hands of the perpetrator, the more information they will be able to glean, and with enough time they may be able to compromise your bank account and transfer out the balance.

Another recommendation is to make sure you have your recovery options completed and up-to-date.  This includes the secret questions and answers, an alternate email address, and a phone number to a cell phone that supports SMS text messaging.  A land line telephone will not work for this purpose unless your service provider explicitly allows it.

If left unrecovered, a compromise of your email account will be extended by the attackers to other accounts, such as your bank, credit card, and other financial accounts, shopping accounts such as Amazon and eBay, app store accounts such as iTunes and Google Play, and your Facebook, LinkedIn, Google+, Pinterest, Instagram, and other online accounts.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.