Return to the Computer Help Forum | Post a Follow-Up

 o
Gmail: Hacked, spoofed or what?

Posted by susanjn (My Page) on
Wed, Feb 6, 13 at 18:55

Toshiba netbook w/Win XP SP3
Microsoft Security Essentials
Main browsers: Firefox, Opera
Everything kept updated

This afternoon my son alerted me to the fact that "I" had sent a link to a dubious weight loss product from my gmail account.

I immediately changed my password, then started investigating.

My Sent folder shows the same message sent to an odd assortment of addresses, all of which I recognize, but fortunately a very small percentage of my contacts. None of the messages contain my default signature. If the messages were just spoofing my address, how would they show up in my sent folder?

I've never shared my Google password.

I'm currently running Malwarebytes on my computer, and using another one to post here.


Follow-Up Postings:

 o
And another thing

This may have nothing to do with gmail...

That computer is running MWB painfully slowly. The Task Manager is showing the System Idle Process using about 98% of the CPU. Task Mgr and MWB sometimes use 1-2%.


 o
RE: Gmail: Hacked, spoofed or what?

It could be, I have had to help several people lately with the same problem. Changing your password right away is the best thing to do then keep a close watch on your sent folder and ask him to alert you if there are further emails.
If you feel other sites could have been compromised because you had their info in your email then you may want to change passwords on those also. For example when you register at some sites they send you a confirmation email with the user name and password which some people leave or store in their email, those can be compromised if the account was hacked.

In the cases I was working with the change of password and close watch worked, I do suggest changing the password again in a few days even if you are not seeing activity just for safety sake and of course use a very strong password never a real word but a combo of letters numbers symbols and upper and lower case. Real words can be hacked in seconds by brute force programs.
Create strong passwords
Most accounts that are hacked were due to the passwords being too simple.


 o
RE: Gmail: Hacked, spoofed or what?

I can't answer you question but if it were me I would look on the bottom of the Gmail page where it says "Last Account Activity" and click "Details". It will list the last ten IP addresses your account was accessed from. If nothing else it might confirm your suspicions.


 o
RE: Gmail: Hacked, spoofed or what?

raven, the password has been changed, and I'll watch it like a hawk. My main motivation in life is to not be embarrassed. And I'm very embarrassed that this went out to some of my co-workers and clients. :)

I don't think I have any clear text passwords saved, but I'll check that out. I also have never given my google password to things like Facebook to "help me locate" friends.

chuggerguy, that's an interesting tool! Now what do I do with the information?


 o
RE: Gmail: Hacked, spoofed or what?

"Now what do I do with the information?"

Check it for activity from someplace you haven't been? Then you'd know for sure at least. Sorry, I don't really know.


 o
RE: Gmail: Hacked, spoofed or what?

I've dug a little deeper into the maze of google info, and found the carrier of the IP address used about the same time these messages were going out. The access type was SMTP and not any carrier we use.


 o
RE: Gmail: Hacked, spoofed or what?

I recently had a message from gmail, right when I was trying to log in it stopped the process to alert me that at a specific time they detected an unusual IP address trying to access my account and alerted me, they had fully blocked access. It gave the IP address the area of the world and what the whois info was. It was definitely not me it was a foreign country and I was not familiar with the name from whois. Gmail had also sent the same alert to my hotmail email which is the backup I have listed for gmail. I was really impressed by that. The person had not known my password but was apparently actively trying to hack in.
I was not aware that gmail had those kinds of features. it
was strictly informative, didn't require any action on my part didn't request any thing. Just a heads up.


 o
RE: Gmail: Hacked, spoofed or what?

I agree, this sounds like a bot cracked your email password and used the account to send spam or malware messages. Changing the password as already suggested should end the incident.

It's a common occurrence, there's no reason to have any feelings even remotely approaching embarrassment. I hope your comment that avoiding embarrassment was a major focus in your life was in jest, that's hardly something anyone should be concerned about.


 o
RE: Gmail: Hacked, spoofed or what?

Raven, I've done some reading about gmail's protections this afternoon. It mentioned those messages, and sometimes they don't send it if they think the bad guys (their words) would be reading. I wonder if they detected this little invasion and just stopped it. I like gmail. The only location information on the IP address was Texas from Cingular. I'm in Texas but don't use Cingular.

Snidely, I was mostly joking about avoiding embarrassment. Not that I go actively looking for it, so you won't be seeing me on any reality shows.

Malwarebytes is still toiling away. It says it has found 4 things, but is keeping me in suspense as to what they are.


 o
RE: Gmail: Hacked, spoofed or what?

please report back with the results of the scan.
I rarely use my gmail but with Android everything is tied to google and gmail, so it's getting a little more use.


 o
RE: Gmail: Hacked, spoofed or what?

I had my gmail hacked in August of 2011. I had received a spam in one of my other accounts from myself. This activity report confirmed it for me:

Nope, I've never been to France. :)

I was frantically checking my processes, using netstat to check for unexplained Internet connections, closing ports, etc. but found nothing.

I suppose it could have been brute-forced. The password wasn't horrible, but wasn't great. Eight alpha plus a number. Random but short.

Actually, I chalked it up to using the same gmail address/password combination to register at the wrong site.

Changing the password to a loooooooonnnnnnnggggg one and not using it anywhere else was enough that it hasn't happened since.

Not yet anyway. :)

I would expect Google to have safeguards in place to time-lock an account if the user enters the incorrect password too many times in a row so they couldn't be brute-forced. Apparently not?

This post was edited by chuggerguy on Thu, Feb 7, 13 at 3:03


 o
RE: Gmail: Hacked, spoofed or what?

Google does have a Captcha like challenge if you enter the wrong password too many times (I want to say three times). I have read the spammers have cadres working in Eastern Europe working to decode the Captchas. They make a buck or so a hour decoding one about every 22 seconds. Do that math on that fun job. See, every low paying job isn't in China.

Susan,

If you have a cell phone, you might want to add Google's 2-step security process to the mix. When you (or anyone) attempts to access your Gmail account from an unauthorized device, Google sends a 5 digit code to a preassigned cell phone. You need that code (in addition to the password) to access the account.


 o
RE: Gmail: Hacked, spoofed or what?

Thanks, everyone.

Mike, gmail did make me do the code-by-phone thing to change my password. So I must have set that up sometime in the long forgotten past. Once in a while, things go right.

Chuggerguy, I'm jealous. France is so much more exotic than Texas. :)

Here are the logs:

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.06.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Susan :: SMITHCORONA [administrator]

2/6/2013 3:55:25 PM
mbam-log-2013-02-06 (15-55-25).txt

Scan type: Full scan (C:\:)
Scan options enabled: Memory : Startup : Registry : File System : Heuristics/Extra : Heuristics/Shuriken : PUP : PUM
Scan options disabled: P2P
Objects scanned: 343343
Time elapsed: 10 hour(s), 31 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Program Files\TOSHIBA\Amazon\MP3.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\TOSHIBA\Amazon\Shopping.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\TOSHIBA\Amazon\ShoppingD.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\TOSHIBA\Amazon\VOD.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

(end)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/07/2013 at 09:16 AM

Application Version : 5.6.1014

Core Rules Database Version : 9979
Trace Rules Database Version: 7791

Scan type : Complete Scan
Total Scan Time : 01:35:17

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 516
Memory threats detected : 0
Registry items scanned : 37287
Registry threats detected : 0
File items scanned : 61768
File threats detected : 325

Adware.Tracking Cookie
cdn4.specificclick.net [ C:\DOCUMENTS AND SETTINGS\GLENNA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\JB8JPMNZ ]

...319 cookies clipped...

accounts.google.com [ C:\DOCUMENTS AND SETTINGS\SUSAN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE(1E452A8B-FF85-46AC-BB2A-069DD62D4A2E)\RP1257\A0101126.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE(1E452A8B-FF85-46AC-BB2A-069DD62D4A2E)\RP1257\A0101127.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE(1E452A8B-FF85-46AC-BB2A-069DD62D4A2E)\RP1257\A0101128.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE(1E452A8B-FF85-46AC-BB2A-069DD62D4A2E)\RP1257\A0101129.EXE

I let MWB and SAS delete all they found.

What does Trojan.Agent/Gen-Nullo[Short] do? I've found lots of malware removal sites telling people how to get rid of it, but little information on what it does?

Could I have acquired it from clicking on an image?


 o
RE: Gmail: Hacked, spoofed or what?

Susan If you would please go to LzD forum where the team can help you clean your infections, these will take some special scans that you will be given direct instructions for. You will need to register there then please start your own post in the area I am linking you to. If you would please post your logs there and a link back to this post here.

I am there also and will be watching for you, if you need help getting there please let me know.
Analysis and Malware Removal

Once there please follow only instructions given to you on your own thread and no others so there is no confusion on what has been done. You will be able to clean this up.
Often times bits are left behind which will cause the infection to return that is why these scans need to be run to fully clean it out.


 o
RE: Gmail: Hacked, spoofed or what?

raven, I have posted on LandzDown. I am rutabaga over there.

Interestingly, my computer has been quite perky after the MWB and SAS treatment.


 o
RE: Gmail: Hacked, spoofed or what?

I see you there, please just be patient for a bit while the team takes a look at your logs.


 o
RE: Gmail: Hacked, spoofed or what?

AND Texas is a lot more exotic than Kansas........


 o
RE: Gmail: Hacked, spoofed or what?

Well, Ok, I feel better. :)


 o Post a Follow-Up

Please Note: Only registered members are able to post messages to this forum.

    If you are a member, please log in.

    If you aren't yet a member, join now!


Return to the Computer Help Forum

Information about Posting

  • You must be logged in to post a message. Once you are logged in, a posting window will appear at the bottom of the messages. If you are not a member, please register for an account.
  • Posting is a two-step process. Once you have composed your message, you will be taken to the preview page. You will then have a chance to review your post, make changes and upload photos.
  • After posting your message, you may need to refresh the forum page in order to see it.
  • Before posting copyrighted material, please read about Copyright and Fair Use.
  • We have a strict no-advertising policy!
  • If you would like to practice posting or uploading photos, please visit our Test forum.
  • If you need assistance, please Contact Us and we will be happy to help.


Learn more about in-text links on this page here