|
| Toshiba netbook w/Win XP SP3 Microsoft Security Essentials Main browsers: Firefox, Opera Everything kept updated This afternoon my son alerted me to the fact that "I" had sent a link to a dubious weight loss product from my gmail account. I immediately changed my password, then started investigating. My Sent folder shows the same message sent to an odd assortment of addresses, all of which I recognize, but fortunately a very small percentage of my contacts. None of the messages contain my default signature. If the messages were just spoofing my address, how would they show up in my sent folder? I've never shared my Google password. I'm currently running Malwarebytes on my computer, and using another one to post here. |
Follow-Up Postings:
|
| This may have nothing to do with gmail... That computer is running MWB painfully slowly. The Task Manager is showing the System Idle Process using about 98% of the CPU. Task Mgr and MWB sometimes use 1-2%. |
|
- Posted by ravencajun (My Page) on Wed, Feb 6, 13 at 19:17
| It could be, I have had to help several people lately with the same problem. Changing your password right away is the best thing to do then keep a close watch on your sent folder and ask him to alert you if there are further emails. If you feel other sites could have been compromised because you had their info in your email then you may want to change passwords on those also. For example when you register at some sites they send you a confirmation email with the user name and password which some people leave or store in their email, those can be compromised if the account was hacked. In the cases I was working with the change of password and close watch worked, I do suggest changing the password again in a few days even if you are not seeing activity just for safety sake and of course use a very strong password never a real word but a combo of letters numbers symbols and upper and lower case. Real words can be hacked in seconds by brute force programs. |
|
- Posted by chuggerguy (My Page) on Wed, Feb 6, 13 at 19:18
| I can't answer you question but if it were me I would look on the bottom of the Gmail page where it says "Last Account Activity" and click "Details". It will list the last ten IP addresses your account was accessed from. If nothing else it might confirm your suspicions. |
|
| raven, the password has been changed, and I'll watch it like a hawk. My main motivation in life is to not be embarrassed. And I'm very embarrassed that this went out to some of my co-workers and clients. :) I don't think I have any clear text passwords saved, but I'll check that out. I also have never given my google password to things like Facebook to "help me locate" friends. chuggerguy, that's an interesting tool! Now what do I do with the information? |
|
- Posted by chuggerguy (My Page) on Wed, Feb 6, 13 at 19:43
"Now what do I do with the information?" Check it for activity from someplace you haven't been? Then you'd know for sure at least. Sorry, I don't really know. |
|
| I've dug a little deeper into the maze of google info, and found the carrier of the IP address used about the same time these messages were going out. The access type was SMTP and not any carrier we use. |
|
- Posted by ravencajun (My Page) on Wed, Feb 6, 13 at 22:26
| I recently had a message from gmail, right when I was trying to log in it stopped the process to alert me that at a specific time they detected an unusual IP address trying to access my account and alerted me, they had fully blocked access. It gave the IP address the area of the world and what the whois info was. It was definitely not me it was a foreign country and I was not familiar with the name from whois. Gmail had also sent the same alert to my hotmail email which is the backup I have listed for gmail. I was really impressed by that. The person had not known my password but was apparently actively trying to hack in. I was not aware that gmail had those kinds of features. it was strictly informative, didn't require any action on my part didn't request any thing. Just a heads up. |
|
| I agree, this sounds like a bot cracked your email password and used the account to send spam or malware messages. Changing the password as already suggested should end the incident. It's a common occurrence, there's no reason to have any feelings even remotely approaching embarrassment. I hope your comment that avoiding embarrassment was a major focus in your life was in jest, that's hardly something anyone should be concerned about. |
|
| Raven, I've done some reading about gmail's protections this afternoon. It mentioned those messages, and sometimes they don't send it if they think the bad guys (their words) would be reading. I wonder if they detected this little invasion and just stopped it. I like gmail. The only location information on the IP address was Texas from Cingular. I'm in Texas but don't use Cingular. Snidely, I was mostly joking about avoiding embarrassment. Not that I go actively looking for it, so you won't be seeing me on any reality shows. Malwarebytes is still toiling away. It says it has found 4 things, but is keeping me in suspense as to what they are. |
|
- Posted by ravencajun (My Page) on Thu, Feb 7, 13 at 1:30
| please report back with the results of the scan. I rarely use my gmail but with Android everything is tied to google and gmail, so it's getting a little more use. |
|
- Posted by chuggerguy (My Page) on Thu, Feb 7, 13 at 2:58
| I had my gmail hacked in August of 2011. I had received a spam in one of my other accounts from myself. This activity report confirmed it for me:
Nope, I've never been to France. :) I was frantically checking my processes, using netstat to check for unexplained Internet connections, closing ports, etc. but found nothing. I suppose it could have been brute-forced. The password wasn't horrible, but wasn't great. Eight alpha plus a number. Random but short. Actually, I chalked it up to using the same gmail address/password combination to register at the wrong site. Changing the password to a loooooooonnnnnnnggggg one and not using it anywhere else was enough that it hasn't happened since. Not yet anyway. :) I would expect Google to have safeguards in place to time-lock an account if the user enters the incorrect password too many times in a row so they couldn't be brute-forced. Apparently not? |
This post was edited by chuggerguy on Thu, Feb 7, 13 at 3:03
|
- Posted by mike_kaiser (My Page) on Thu, Feb 7, 13 at 7:32
| Google does have a Captcha like challenge if you enter the wrong password too many times (I want to say three times). I have read the spammers have cadres working in Eastern Europe working to decode the Captchas. They make a buck or so a hour decoding one about every 22 seconds. Do that math on that fun job. See, every low paying job isn't in China. Susan, If you have a cell phone, you might want to add Google's 2-step security process to the mix. When you (or anyone) attempts to access your Gmail account from an unauthorized device, Google sends a 5 digit code to a preassigned cell phone. You need that code (in addition to the password) to access the account. |
|
| Thanks, everyone. Mike, gmail did make me do the code-by-phone thing to change my password. So I must have set that up sometime in the long forgotten past. Once in a while, things go right. Chuggerguy, I'm jealous. France is so much more exotic than Texas. :) Here are the logs: Malwarebytes Anti-Malware 1.70.0.1100 Database version: v2013.02.06.09 Windows XP Service Pack 3 x86 NTFS 2/6/2013 3:55:25 PM Scan type: Full scan (C:\:) Memory Processes Detected: 0 Memory Modules Detected: 0 Registry Keys Detected: 0 Registry Values Detected: 0 Registry Data Items Detected: 0 Folders Detected: 0 Files Detected: 4 (end) SUPERAntiSpyware Scan Log Generated 02/07/2013 at 09:16 AM Application Version : 5.6.1014 Core Rules Database Version : 9979 Scan type : Complete Scan Operating System Information Memory items scanned : 516 Adware.Tracking Cookie ...319 cookies clipped... accounts.google.com [ C:\DOCUMENTS AND SETTINGS\SUSAN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ] Trojan.Agent/Gen-Nullo[Short] I let MWB and SAS delete all they found. What does Trojan.Agent/Gen-Nullo[Short] do? I've found lots of malware removal sites telling people how to get rid of it, but little information on what it does? Could I have acquired it from clicking on an image? |
|
- Posted by ravencajun (My Page) on Thu, Feb 7, 13 at 23:26
| Susan If you would please go to LzD forum where the team can help you clean your infections, these will take some special scans that you will be given direct instructions for. You will need to register there then please start your own post in the area I am linking you to. If you would please post your logs there and a link back to this post here. I am there also and will be watching for you, if you need help getting there please let me know. Once there please follow only instructions given to you on your own thread and no others so there is no confusion on what has been done. You will be able to clean this up. |
|
| raven, I have posted on LandzDown. I am rutabaga over there. Interestingly, my computer has been quite perky after the MWB and SAS treatment. |
|
- Posted by ravencajun (My Page) on Fri, Feb 8, 13 at 13:15
| I see you there, please just be patient for a bit while the team takes a look at your logs. |
|
| AND Texas is a lot more exotic than Kansas........ |
|
| Well, Ok, I feel better. :) |
Please Note: Only registered members are able to post messages to this forum. If you are a member, please log in. If you aren't yet a member, join now!
Return to the Computer Help Forum
Instructions
- You must be a registered member and logged in to post messages on our forums.
- Posting is a two-step process. Once you have composed your message, you will be taken to the preview page. You will then have a chance to review the contents and make changes.
- After posting your message, you may need to refresh the forum page in order to see it.
- It is illegal to post copyrighted material without the owner's consent.
- HTML codes are allowed in the message field only.
- No advertising is allowed in any of the forums.
- If you would like to practice posting or uploading photos, please visit our Test forum.
- If you need assistance, please Contact Us and we will be happy to help.