Gmail: Hacked, spoofed or what?

susanjnFebruary 6, 2013

Toshiba netbook w/Win XP SP3
Microsoft Security Essentials
Main browsers: Firefox, Opera
Everything kept updated

This afternoon my son alerted me to the fact that "I" had sent a link to a dubious weight loss product from my gmail account.

I immediately changed my password, then started investigating.

My Sent folder shows the same message sent to an odd assortment of addresses, all of which I recognize, but fortunately a very small percentage of my contacts. None of the messages contain my default signature. If the messages were just spoofing my address, how would they show up in my sent folder?

I've never shared my Google password.

I'm currently running Malwarebytes on my computer, and using another one to post here.

Thank you for reporting this comment. Undo
susanjn

This may have nothing to do with gmail...

That computer is running MWB painfully slowly. The Task Manager is showing the System Idle Process using about 98% of the CPU. Task Mgr and MWB sometimes use 1-2%.

    Bookmark   February 6, 2013 at 7:11PM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

It could be, I have had to help several people lately with the same problem. Changing your password right away is the best thing to do then keep a close watch on your sent folder and ask him to alert you if there are further emails.
If you feel other sites could have been compromised because you had their info in your email then you may want to change passwords on those also. For example when you register at some sites they send you a confirmation email with the user name and password which some people leave or store in their email, those can be compromised if the account was hacked.

In the cases I was working with the change of password and close watch worked, I do suggest changing the password again in a few days even if you are not seeing activity just for safety sake and of course use a very strong password never a real word but a combo of letters numbers symbols and upper and lower case. Real words can be hacked in seconds by brute force programs.
Create strong passwords
Most accounts that are hacked were due to the passwords being too simple.

    Bookmark   February 6, 2013 at 7:17PM
Thank you for reporting this comment. Undo
Richard (chuggerguy)

I can't answer you question but if it were me I would look on the bottom of the Gmail page where it says "Last Account Activity" and click "Details". It will list the last ten IP addresses your account was accessed from. If nothing else it might confirm your suspicions.

    Bookmark   February 6, 2013 at 7:18PM
Thank you for reporting this comment. Undo
susanjn

raven, the password has been changed, and I'll watch it like a hawk. My main motivation in life is to not be embarrassed. And I'm very embarrassed that this went out to some of my co-workers and clients. :)

I don't think I have any clear text passwords saved, but I'll check that out. I also have never given my google password to things like Facebook to "help me locate" friends.

chuggerguy, that's an interesting tool! Now what do I do with the information?

    Bookmark   February 6, 2013 at 7:30PM
Thank you for reporting this comment. Undo
Richard (chuggerguy)

"Now what do I do with the information?"

Check it for activity from someplace you haven't been? Then you'd know for sure at least. Sorry, I don't really know.

    Bookmark   February 6, 2013 at 7:43PM
Thank you for reporting this comment. Undo
susanjn

I've dug a little deeper into the maze of google info, and found the carrier of the IP address used about the same time these messages were going out. The access type was SMTP and not any carrier we use.

    Bookmark   February 6, 2013 at 8:04PM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

I recently had a message from gmail, right when I was trying to log in it stopped the process to alert me that at a specific time they detected an unusual IP address trying to access my account and alerted me, they had fully blocked access. It gave the IP address the area of the world and what the whois info was. It was definitely not me it was a foreign country and I was not familiar with the name from whois. Gmail had also sent the same alert to my hotmail email which is the backup I have listed for gmail. I was really impressed by that. The person had not known my password but was apparently actively trying to hack in.
I was not aware that gmail had those kinds of features. it
was strictly informative, didn't require any action on my part didn't request any thing. Just a heads up.

    Bookmark   February 6, 2013 at 10:26PM
Thank you for reporting this comment. Undo
SnidelyWhiplash

I agree, this sounds like a bot cracked your email password and used the account to send spam or malware messages. Changing the password as already suggested should end the incident.

It's a common occurrence, there's no reason to have any feelings even remotely approaching embarrassment. I hope your comment that avoiding embarrassment was a major focus in your life was in jest, that's hardly something anyone should be concerned about.

    Bookmark   February 6, 2013 at 11:24PM
Thank you for reporting this comment. Undo
susanjn

Raven, I've done some reading about gmail's protections this afternoon. It mentioned those messages, and sometimes they don't send it if they think the bad guys (their words) would be reading. I wonder if they detected this little invasion and just stopped it. I like gmail. The only location information on the IP address was Texas from Cingular. I'm in Texas but don't use Cingular.

Snidely, I was mostly joking about avoiding embarrassment. Not that I go actively looking for it, so you won't be seeing me on any reality shows.

Malwarebytes is still toiling away. It says it has found 4 things, but is keeping me in suspense as to what they are.

    Bookmark   February 7, 2013 at 12:23AM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

please report back with the results of the scan.
I rarely use my gmail but with Android everything is tied to google and gmail, so it's getting a little more use.

    Bookmark   February 7, 2013 at 1:30AM
Thank you for reporting this comment. Undo
Richard (chuggerguy)

I had my gmail hacked in August of 2011. I had received a spam in one of my other accounts from myself. This activity report confirmed it for me:

Nope, I've never been to France. :)

I was frantically checking my processes, using netstat to check for unexplained Internet connections, closing ports, etc. but found nothing.

I suppose it could have been brute-forced. The password wasn't horrible, but wasn't great. Eight alpha plus a number. Random but short.

Actually, I chalked it up to using the same gmail address/password combination to register at the wrong site.

Changing the password to a loooooooonnnnnnnggggg one and not using it anywhere else was enough that it hasn't happened since.

Not yet anyway. :)

I would expect Google to have safeguards in place to time-lock an account if the user enters the incorrect password too many times in a row so they couldn't be brute-forced. Apparently not?

This post was edited by chuggerguy on Thu, Feb 7, 13 at 3:03

    Bookmark   February 7, 2013 at 2:58AM
Thank you for reporting this comment. Undo
mike_kaiser_gw

Google does have a Captcha like challenge if you enter the wrong password too many times (I want to say three times). I have read the spammers have cadres working in Eastern Europe working to decode the Captchas. They make a buck or so a hour decoding one about every 22 seconds. Do that math on that fun job. See, every low paying job isn't in China.

Susan,

If you have a cell phone, you might want to add Google's 2-step security process to the mix. When you (or anyone) attempts to access your Gmail account from an unauthorized device, Google sends a 5 digit code to a preassigned cell phone. You need that code (in addition to the password) to access the account.

    Bookmark   February 7, 2013 at 7:32AM
Thank you for reporting this comment. Undo
susanjn

Thanks, everyone.

Mike, gmail did make me do the code-by-phone thing to change my password. So I must have set that up sometime in the long forgotten past. Once in a while, things go right.

Chuggerguy, I'm jealous. France is so much more exotic than Texas. :)

Here are the logs:

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.06.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Susan :: SMITHCORONA [administrator]

2/6/2013 3:55:25 PM
mbam-log-2013-02-06 (15-55-25).txt

Scan type: Full scan (C:\:)
Scan options enabled: Memory : Startup : Registry : File System : Heuristics/Extra : Heuristics/Shuriken : PUP : PUM
Scan options disabled: P2P
Objects scanned: 343343
Time elapsed: 10 hour(s), 31 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Program Files\TOSHIBA\Amazon\MP3.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\TOSHIBA\Amazon\Shopping.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\TOSHIBA\Amazon\ShoppingD.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\TOSHIBA\Amazon\VOD.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

(end)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/07/2013 at 09:16 AM

Application Version : 5.6.1014

Core Rules Database Version : 9979
Trace Rules Database Version: 7791

Scan type : Complete Scan
Total Scan Time : 01:35:17

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 516
Memory threats detected : 0
Registry items scanned : 37287
Registry threats detected : 0
File items scanned : 61768
File threats detected : 325

Adware.Tracking Cookie
cdn4.specificclick.net [ C:\DOCUMENTS AND SETTINGS\GLENNA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\JB8JPMNZ ]

...319 cookies clipped...

accounts.google.com [ C:\DOCUMENTS AND SETTINGS\SUSAN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE(1E452A8B-FF85-46AC-BB2A-069DD62D4A2E)\RP1257\A0101126.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE(1E452A8B-FF85-46AC-BB2A-069DD62D4A2E)\RP1257\A0101127.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE(1E452A8B-FF85-46AC-BB2A-069DD62D4A2E)\RP1257\A0101128.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE(1E452A8B-FF85-46AC-BB2A-069DD62D4A2E)\RP1257\A0101129.EXE

I let MWB and SAS delete all they found.

What does Trojan.Agent/Gen-Nullo[Short] do? I've found lots of malware removal sites telling people how to get rid of it, but little information on what it does?

Could I have acquired it from clicking on an image?

    Bookmark   February 7, 2013 at 10:22PM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

Susan If you would please go to LzD forum where the team can help you clean your infections, these will take some special scans that you will be given direct instructions for. You will need to register there then please start your own post in the area I am linking you to. If you would please post your logs there and a link back to this post here.

I am there also and will be watching for you, if you need help getting there please let me know.
Analysis and Malware Removal

Once there please follow only instructions given to you on your own thread and no others so there is no confusion on what has been done. You will be able to clean this up.
Often times bits are left behind which will cause the infection to return that is why these scans need to be run to fully clean it out.

    Bookmark   February 7, 2013 at 11:26PM
Thank you for reporting this comment. Undo
susanjn

raven, I have posted on LandzDown. I am rutabaga over there.

Interestingly, my computer has been quite perky after the MWB and SAS treatment.

    Bookmark   February 8, 2013 at 1:06AM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

I see you there, please just be patient for a bit while the team takes a look at your logs.

    Bookmark   February 8, 2013 at 1:15PM
Thank you for reporting this comment. Undo
emma

AND Texas is a lot more exotic than Kansas........

    Bookmark   February 8, 2013 at 2:55PM
Thank you for reporting this comment. Undo
susanjn

Well, Ok, I feel better. :)

    Bookmark   February 8, 2013 at 8:41PM
Sign Up to comment
More Discussions
Linkedin - Friend's Attempt to Subscribe me to it.
I know nothing of social media outfits and don't want...
mxyplux
Win 8 network settings
I need to export my network settings to a flash drive...
carolssis
how do I bypass my login?
I recently took my HP laptop to Data Doctors and it...
cornsnake_lover
GW/Houzz page rendering on my browser
Weird question about GW/Houzz, over the last six months,...
dbarron
Owbist Where is Owbist?
Did he cash in? Haven't seen his dulcet tones since B4...
mxyplux
People viewed this after searching for:
© 2015 Houzz Inc. Houzz® The new way to design your home™