Website Phish hijacks email accounts

Garwarner Blog post reveals some details of  various posts on the Internet that discuss the paper written by Google and other University of San Diego residents

compromisedaccounts

Here is the Abstract:

“Online accounts are inherently valuable resources—both for the data they contain and the reputation they accrue over time. Unsurprisingly, this value drives criminals to steal, or hijack, such accounts.
In this paper we focus on manual account hijacking—account hijacking performed manually by humans instead of botnets. We
describe the details of the hijacking workflow: the attack vectors, the exploitation phase, and post-hijacking remediation. Finally we
share, as a large online company, which defense strategies we found effective to curb manual hijacking.”
It goes on to say that when some users are presented with a fake Google site as well as email phishing, the criminal goal is to hijack the Google email accounts. In fact over 100 fake sites were taken down by Google in 2012. There were 5000 hijacked accounts analyzed.
Garwarner Blog states that many security news publications misrepresented this paper, as a large percentage of email accounts being hijacked.  The paper states a small sample has 45% of the sample credentials were taken.
There is more to this story, and I will review the paper a bit more, but it looks like there were a lot of sites that looked just like Google around the net whose sole purpose was to steal credentials (email address and passwords). for the sole purpose to somehow make money of the account. (if hijacked the email account can be used for some very specific phishing attacks to the people that you email.