Google today added an alert to Gmail that warns users of the Web mail service when their account may have been hijacked.
Using several criteria -- including plotting the Internet protocol (IP) address of each successful log-on -- Google determines whether to sound the alarm, which pops up at the top of a user's account and reads "Warning: We believe your account was last accessed from..." along with the location associated with the log-on.
If an account is accessed from one country, then again a few hours later from a different country, Google would likely sound the alarm. The assumption: The multiple and geographically divergent log-ons would be a clue that the account had been hacked, and was now being used to send spam, spread scams or distribute malware.
"It's actually much more sophisticated than that," said Will Cathcart, a Gmail product manager. "If we determine that an IP down the block [from you] has logged into your account, and has recently logged into lots and lots of accounts, we'll display the warning."
Cathcart declined to reveal details of the other factors that Google takes into account when deciding whether to trigger an access alert, saying only that the IP locating criteria was "a data point that most users can easily understand."
The idea is to give users more information about activity on their Gmail accounts, Cathcart said. "This is an evolution of what we've done for some time," he said, referring to the account activity records that users have been able to view since mid-2008. "We've been doing a lot of compromised account detection work, and we wanted to give users information about why we think an account may be compromised. This way, we reach out to a lot more users, because we don't need to be 100% certain that an account [has been hijacked] before we block it. Now we can be just 99% sure, and give the users the information so they can take action."
Cathcart claimed that the problem of Gmail account hijacking affected only a "very very small number" of users. But for those whose accounts are hijacked, it's "a really painful problem, even if all the hijackers do is send spam."
He sidestepped a question about whether the new alert would have helped Chinese human rights activists whose accounts were compromised. Last January, Google cited activity directed against those accounts, as well as attacks on its corporate network , when it announced it would no longer censor the search results of its Chinese engine. "I wouldn't want to say which accounts would have been warned, but in general, when people have their accounts compromised, we would love to be able to warn them," Cathcart said.
Google will roll out the feature to Google Apps at some later point, the company added in a post to the Gmail blog today.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Knowledge Center.