This afternoon I received spams from fellow colleagues at work from their gmail account. Emails went to both my personal gmail account and to my work accounts. It looks like the emails are in the sent items, which is rather worrying as it means the spammer sent mail from the account rather than forging the headers to make it look like it came from the account. I know for a fact that the password was secure on at least one of the accounts so a weak password is not the culprit. A quick (ironic) google search shows that several people are twittering this in the past couple of hours (mine came in at 3.43pm (and I had another at 7.30pm).
Google’s standard answer is to change your password, which doesn’t really help when there is obviously a back door that is letting people into the account in the first place. The solutions provided are as follows:
If your account has been compromised/hacked/stolen you will need to check at least all of the following things:
Settings -> Accounts and Import -> Google Account Settings -> Change Password [pick a new secure password]
Settings -> Accounts and Import -> Google Account Settings -> Change Password Recovery Options [verify secret question, SMS and secondary e-mail address]
Settings -> General -> Signature [make sure nothing as been added]
Settings -> General -> Vacation Responder [make sure it’s disabled and empty]
Settings -> Accounts and Import -> Send Mail As [make sure it is using your correct e-mail address]
Settings -> Filters [no filters that forward or delete e-mail]
Settings -> Forwarding and POP/IMAP -> Forwarding [disabled or correct address]
Settings -> Forwarding and POP/IMAP -> POP Download [disabled]
Settings -> Forwarding and POP/IMAP -> IMAP Access [disabled]
Keeping account secure: https://mail.google.com/support/bin/answer.py?hl=en&answer=46526
Protecting your account: https://mail.google.com/support/bin/answer.py?hl=en&answer=29407
If your account is compromised: http://mail.google.com/support/bin/answer.py?hl=en&answer=50270
Ciao is also reporting similar issues today.
It would be interesting to see if any of the compromised accounts were on the Google Apps servers as this probably has greater repercussions for Google’s business model as people will trust Google even less. It will certainly raise questions at work on Monday as to whether we would recommend moving some clients to Google Apps. Even if you haven’t been hacked (check your sent items, filters and your frequent contacts for spam messages) I would still highly recommend you change your password NOW and ensure it is a complicated, non-dictionary based one.
Having said that, it doesn’t look that malicious – you would have to be tricked into entering data into one page, which can then be sent to the malicious site at the same time, so you are probably only at risk if you do random surfing or surf in dodgy web site areas in the first place – and if you are doing that then I really hope you are not running internet explorer (or as an admin!)
I had the misfortune to have to deal with a user who had received an email after their data was stolen from the University of Texas. The email mentioned that their username and email address had been divulged to unauthorised users.
Unfortunately the way the email was sent out to the user, it looked just like a phishing scam. The email contained references to http://www.mccombs.utexas.edu/datatheft/ but if you looked at where the link would take you, it actually went to a convio.com address.
As this is a typical phishing mechanism I did a bit of digging. A whois lookup on convio.com provided an IT contact and the fact that the domain had been registered for 6 years which therefore implied that their server might have been hacked.
I contacted the Convio and received a return phone call where I was told that a lot more data had been revealed (depending on what data was stored on the server) and that the email was genuine.
After that I received two phonecalls from a call center that was set up to answer queries about the data theft. The scary thing is that their records show I requested contact about the problem but they didn’t update the records that someone had already contacted me. It would also make sense to ensure that the users who are manning the call center can actually pronounce the names of the companies involved in the whole farce!
I was also amazed to see that the University are not offering free credit monitoring or any other form of compensation to the affected users – instead they are just given (more redirected) links to a reduced fee.
All the above makes a mockery of the comments on the University website that can be found on google and the REALLY scary thing is that the server was hacked more than a month ago (April 11th), they announced it on the April 23rd and they didn’t contact the user until May 25th (see Attrition for details.
Oh – and there are another 197,000 users also affected – still thats small change in the amount of 81,822,769 that have been affected since the Choicepoint breach in Feb 05
hmmm – I got an email this morning stating that they were going to change my skype password in the next 24 hours due to a upgrade of their software. Why they can’t tell me that they have changed it now, instead of me waiting until I can’t log into skype and then changing it myself I don’t know. This also sounds suspiciously like one of the websites was hacked or compromised. I really can’t see any other reason that they would need to change passwords for so many people. There is more information at SkypeJournal and it seems like a lot of people share my concerns AND have trouble trying to get the password changed.
The funny thing is that they try to convince you that this is not a hoax by saying that there is a copy of the email on the share.skype.com website…Now if I was a scammer with a website such as share.5kype.com it wouldn’t be difficult to host a copy of a phishing email that I am sending out to all my target customers would it?
I actually saw this a couple of days ago but didn’t get round to blogging it but it is now possible to spoof urls in non-ie browsers by using special encoding of characters. A lot of us know that &20 is actually a space, but there are a lot of numbers higher up in the thousands that also look like characters and this is partly to do with the problem. The problem is something called idn.
The link i posted above is reporting on the original website that discovered the problem
Update URL fixed and warning removed. (thanks for the comment Jeff)
According to reuters, security experts apparently got 4466 passwords when they started monitoring an isp’s network (with permission). Now if you ask me, that either means they don’t have a lot of customers or the experts weren’t very good. If you have access to sniff the network on an isp I would have thought you would have got a lot more passwords. After all, pop3 usernames and passwords are sent in clear text and that is what most people would be using to retrieve their email. Just goes to show that you really shouldn’t use the same password for everything that you need to access.
At a customer site, they had a fujitsu monitor that was really dark but when you went to change the contrast it came up with “OSD Locked”. The official manual that I could find for google said to press buttons 3 and 4 and power it on but this didn’t work. However holding down the select/menu button and pushing the power button and keep holding the select button down until the menu appears and hey presto, one unlocked osd! Repeat the process to lock it again.
I know a lot of you will have read this already, but the reason I couldn’t get to spywareinfo.com the other day wasn’t because of kazaa having a blocker in it, but because they are under a extreme DOS attack with all the servers that they try to use being attacked. Sounds pretty scary.
Finished reading the 2000+ pages of Underground on the pocketpc last weekend. It’s been a really interesting read about hacking and has kept me entertained whilst waiting for tape restores/backups to run, dinners to be served in hotels etc whilst i’ve been out on the road. Interestingly one of the hackers lived in Salford at the same time I was there as a student and he got busted for hacking.