Google has cut Gmail spam by 99.7% since 2011

(cloki/shutterstock.com)

(cloki/shutterstock.com)

Relaxnews

, Last Updated: 12:54 PM ET

Google claims that less than 1 percent of spam messages make it into Gmail users' inboxes and that over the last two years, improvements to its security systems have taken the fight to the spammers, but notes that users also need to improve their own approaches to online security by adopting two-factor verification.

In a post on the official Google blog, Google Security Engineer Mike Hearn explains that the steps the company has taken mean that cybercriminals are being forced to hijack legitimate email accounts in order to spread bogus advertising, conduct phishing attacks or otherwise extort money or information from the unsuspecting public.

"To improve their chances of beating a spam filter by sending you spam from your contact's account, the spammer first has to break into that account. This means many spammers are turning into account thieves. Every day, cyber criminals break into websites to steal databases of usernames and passwords-the online "keys" to accounts. They put the databases up for sale on the black market, or use them for their own nefarious purposes," says Hearn.

Google has experienced instances of a single attacker using such stolen passwords to attempt to break into "a million different Google accounts every single day, for weeks at a time." This is why the company supports its email service with a complex risk analysis which, according to Hearn, considers "more than 120 variables" before deciding if a login attempt is valid or the work of hackers.

As a result, the number of compromised accounts has fallen by 99.7 percent since the peak of such hijacking attempts in 2011.

But while the post touts Gmail's progress in the area, it also points out that Google can't stop all attacks without help from its users. Hearn highlights the growing need for Gmail users to adopt two-step verification as a means of keeping hackers at bay. With two-step or two-factor identification, each time a user logs into their Gmail account, a unique code is sent to that user's smartphone. That code is then used in conjunction with the standard email address and password in order to grant access. Even if a hacker has someone's password, unless they also have that person's smartphone, the password is useless.

In this respect, the timing of the post couldn't have been better. Over the past week a number of high-profile Twitter accounts have been compromised. Burger King's official account tweeted that the company had been bought by McDonald's, Jeep's official account claimed that the carmaker had been taken over by Cadillac and of course, BlackBerry Creative Director and R&B singer Alicia Keys claimed her account had been hacked when a tweet attributed to her appeared to have been sent from an iPhone, rather than a BlackBerry handset.

These attacks have been viewed by the media and the public alike as little more than amusing stories, but Twitter doesn't currently offer two-step verification and may find that corporate customers start to leave it for security reasons if the hacks continue.

Therefore until Twitter adopts the system, users who are worried about their security should ensure that they have a password that is hard to crack -- Sophos provides advice on how to go about it, and, crucially, make certain that they don't use the same combination of password and email address to log in to any other web service or account. As Hearn says:"Because many people re-use the same password across different accounts, stolen passwords from one site are often valid on others."


Videos

Photos