So, I'm rethinking this gmail hack

My gmail PW was pretty much just a random set of letters.

So that means they...

1. Got lucky with the PW. (been changed)

2. Attacked google its self. (Like that hasn't been done before.)
Not much can be done about that, except to give up on gmail all together.

3. Some how got past my access point, onto one of three computers.
This is the most bothersome cause it seems more likely than 1 or 2.

I guess it's going to be a long weekend.

One question: Do you _always_ use HTTPS to log into gmail?

This happened to me a few months ago. I don't know how they got the password, but it was just one spam message that went out (to like 6 people on my contact list). GMail was 0 help at all in the situation - they wouldn't even tell me the IP that it came from (the IP scrolled off the list they keep because of all the account changes I did following that). There was no evidence of anything at all on my machine (using three or four different scanners).

My brother's guess was that it was a brute force hack and they finally got lucky with it, but of course we can't be sure. I haven't had any problem since then, so it seems to be a one-time deal. If you Google the message that was sent, chances are there are a lot of people out there with the same issue and it hasn't been addressed by Google yet (saying where they got in, from the client itself and it being always logged in, password and another machine or server levels).

I do. And I haven't used gmail over wifi in months. A few weeks ago, I got kicked out of gmail, with a note that "unusual activity" had taken place, and my account was suspended. Some IP address in Brazil had tried sending out some spam through my account (all of which Google blocked). I've never been further south than Costa Rica. My PW was a mix of letters and numbers. Linux at work, OS X at home, both behind firewalls.

It doesn't appear you can use HTTP to log into to Gmail. However, you might be able to use IMAP (instead of IMAPS) to login.

Do you use the same password on other sites?

I've heard of other sites getting compromised, and the hackers realize that people often use the same passwords for their email. The email address is often in the compromised data, which makes it even easier.

So the gmail account was actually used to send the messages?

At a prior job, I've "sent" spam that came from my address, but in no way came from my account (as shown by the smtp logs). They just attached my name to the messages.

Unfortunately, I did receive a few hundred bounces and angry replies. This happened a few times with me, as well as several other employees. In every case, the messages originated elsewhere.

-jk

This is the most common and happens all the time. If someone just wants to send SPAM, it makes no sense to try and attack Google's servers because they're going to be more resistant than most and certainly infinitely harder than an open relay somewhere.

That said, I use a different password for every site, always at least 10 characters long and always a mix of letters and numbers, with the letters being a mix of both upper and lowercase. Further, if I were held at gunpoint, I would not be able to divulge my passwords because I don't know any of them myself.

Of course open relays and easy to compromise mail servers are going away, plus often find themselves in black hole lists, so there's some motive to relay through GMail if possible. Their size and popularity (and acceptance) just make them the most visible target.

My brothers gmail account was hacked the other day and use to send spam. They definitely used Gmail servers to send out mail using it, I know this because I was one of the recipients of the spam so I can see from the headers/logs on my server that it was received directly from a Google server.

Glenn's messages came from his account. I received one of them, initially thought it spam till the posts here, and then I associated the name. My mail server logs confirm it came from mail-wy0-f178.google.com, with a valid DKIM signature.

Glenn, if it helps, here is the message ID google assigned the spam I got.

[email protected]

From the header, it was sent via the web page, and not SMTP.

Yes, this happened to me a couple months ago, and I thought my gmail password was pretty good. I've made it better, but anyway, here's what I learned from the Chinese hack:

1. I knew it happened well before Google notified me. People were emailing me that they were receiving payload-laden emails from my account SEVERAL HOURS BEFORE the google notification banner appeared on my email account telling me the Chinese had hacked my account.

2. I'm fairly certain it was entirely due to POP3 access to my Gmail account. By default this is enabled. I didn't use POP3 access, so I've since disabled POP3 on my gmail. Everybody!!!! DISABLE POP3 ON YOUR GMAIL NOW.

3. I know they got my entire contact list, and I'm assuming they got that via downloading all my old emails. Some of my old emails were password confirmation emails. So if they wanted to datamine the stuff they downloaded, they might have the passwords to some of my favorite user forums. So I changed those too. Everybody!!! DELETE ALL OLD EMAILS THAT CONTAIN PASSWORDS.

4. I changed all of my passwords on the important web sites and things like Amazon, or the logins that I use to access FTP to web sites, that sort of thing. I deliberately left my Facebook password to be my old password, as a honeypot. If my facebook gets hacked, I know they're data mining for passwords.

Shouldn't services not send you your actual password in an email?


These days I'm a big fan of Lastpass. I've gone through all my important sites and had Lastpass generate some very long, gibberish passwords that I could never ever remember. Then I have a single password for Lastpass that I've created using my own system, and I feel like I'm pretty secure. Steve Gibson of the Security Now podcast was 100% positive towards the service, and uses it himself now. He went into incredible detail about how secure it is. Find that episode here.

And no, I was not using Lastpass when my GMail account was hacked, and like everyone else here, I have no idea how it happened. I find it unlikely that all of us were phished or our passwords were broken, so I'm hoping this isn't a Google problem, but I'm not optimistic...

WHen sites generate a password for you they'll send it in an email. You should change it right away.

But Tony,I have a 1-step solution to the woes you've mentioned...

1. Stop using GMAIL.



I have GMAIL set up for a personal domain using their "apps" so that while their system is used, there's no @gmail account. I use POP3 for this and every now and then go in and delete all my mail - no sense in leaving anything on the server if I have it all locally on my machine.

Then I also have one actual gmail account, but I don't use that for anything except logging on to analytics and now Google Voice. I absolutely never use it for email, including giving the address out to people. I used to use it for IM, though that was obviously only with friends and few of them at that.

In my case, yes. The outgoing spam is actually in my sent folder.

However, it only got sent to 10 people, and google stopped all of them before they were actually sent -- I got 10 delivery failure notifications, and that's it.

Yes always!

Yes, Somebody using an ip from China did the deed. It showed in the gmail activity report once at about 11 am then another at 4:30pm. Each was from a different ip in Bejing.

4:30 was when the spam went out. I found the remains in my sent folder. I checked my mail at about 5:30pm and saw the one that was in my inbox and a bunch of personal and automated reply's, when I realized what happened the PW was changed right away.

edit: gmail has a 500/day limit for mass emails. There were 24 messages each with a list of 20 addresses (240). Don't know if the attacker was showing some restraint or if they bumped the limit and the others were stopped.

Interestingly, after I tumbled to the attack, changed the password and closed other open connections, that was when gmail posted a red banner with a warning across the top of my inbox.

Yup, like I said, I didn't get the banner until hours later.

I'm pretty sure they brute forced their way into gmail's POP3 interface. Which for some reason doesn't have as much security on it as the web interface.

Not if you weren't using it. The POP3 implementation would have to have a serious security hole that allowed bruteforcing a password or something like that. You can't send through POP3 either. The only normal way would be if you used POP3 (which you say you didn't) over a non-secure connection and someone/something was snooping at the time.

The simple things you can do:

[list]
[*]change passwords
[*]use different passwords on all different sites (LastPass is okay, but you could also use a system which adds a couple of chars to each password based on the app/site - it beats the automated brute forcing using the same set of creds)
[*]don't use http to go to the initial page of any of these sites, as many don't refresh session cookies when you log in to an https enabled section, so you are effectively vulnerable for the duration of your session (especially bad in web cafes etc) so use NoScript, HTTPSeverywhere or similar

Use 1Password (to store your passwords and other secure info and to spit back the password on the appropriate web site) - which should now be available for Windows as well. It will not enter the password unless you are on the real site. And since you're not typing the password yourself, it makes keyloggers useless for recording your passwords.

This is exactly the accusation I am making: That Gmail's POP3 interface is inadequately protected against brute force attacks from China.



No, but if you successfully bruteforce the POP3 password, then the SMTP password is the same one and you simply replace the address and then you can send mail through it.

If you think about it, it is kind of hard to do. At best you can throttle the number of attempts or lock the account after a few failed attempts.

They can't do the stuff that they do on the web UI, there is no way of popping up a "are you human" form after a few failed logins.

I don't think locking peoples' POP3/IMAP access after a bunch of failed logins from China would be received very well by the users.

They could offer an IP block setting though. I'd opt-in to kill access for my account from all asian IP ranges.

Blocking ranges of IP - Yeah right. Like the Chinese hackers have never seen that before.

You could have a whitelist of IPs driven from the web interface. 99% of the time the desired operation is "whitelist the IP address I'm currently HTTP-ing you from", and for the rest it could offer a list of recent denied connections.

Peter

Well they could, but most of their users would not have a clue what they were on about.

I really hate to make this post, because now everyone will know that I'm not as smart as I have been pretending to be all this time. But...

I've never understood what POP3 and IMAP and SMTP were all about. Can someone explain them to me, preferably in words of one syllable or less, and how they relate to email?

I have turned off POP service on GMail, and IMAP was already turned off. Can I still send and receive emails? Apparently so, I just sent (and received) an email to myself.

Life was simpler when sending mail meant finding a six-cent airmail stamp (yes, I really am that old) and an envelope.

tanstaafl.

All of those things -- POP3, IMAP, SMTP -- are used for non-webmail email. If you only use Gmail as a web email service, you don't need them.

POP3 is for downloading email from the Gmail servers to your PC using a "traditional" (i.e. not web) email program. SMTP is for sending email via the Gmail servers using a traditional email program. IMAP is for reading email using a traditional email program, but, unlike when using POP3, the email data itself remains on the Gmail servers except for things like attachments that you download explicitly.

If you used email programs such as Eudora, or Thunderbird, or Evolution, or Outlook Express, you'd be using SMTP and either POP3 or IMAP.

Gmail offers access via those methods not because it's an essential part of being a webmail service, but because some people might like to use the Gmail service (when away from home, say, or to take advantage of its antispam features) while keeping their existing email program.

Peter

Awesome layman's explanation.

There is another interface to Gmail as well and that is whatever protocol that the official Gmail application uses to talk to their servers.

The Gmail application on my Android phone can access my Gmail account even with IMAP and POP3 disabled. There doesn't appear to be any mechanism to disable access via the Gmail application.

I was told that some keyloggers just read what is transmitted in the fields and doesn't actually log your keystrokes. How true that is, I have no idea.

I'm not sure how it will read what gets transmitted on a secure connection though.

Without knowing exactly what the attackers did, it's hard to know. Maybe they found a cross-site scripting vulnerability or browser hack and were able to get JavaScript into your Gmail client to extract your login credentials. Hard to say. Unsurprisingly, Google is quite proactive at dealing with these sorts of attacks.

If you're using Google with your own domain, you can sign up for two-factor authentication. I've been using it for a while now and I'm quite happy with it. I'm running the Google Authenticator app on my Android phone, such that if I need to log in from a new machine, I have to type in the additional number alongside my password. Also interesting, Google effectively invalidated my password for IMAP and the like. They instead use a web form that generates separate one-time passwords for each place you'd normally use a password (home machine IMAP, work machine IMAP, PicasaWeb plugin for Adobe Lightroom, Android phone, etc.).

Needless to say, it's a bit bumpy getting it set up, but after that it's remarkably painless and potentially more resistant to these sorts of account hijacking attacks. Example: even if somebody could steal the credentials inside your browser, and thus work around the need to have a new one-time-password, I'll bet that the new IP address disagrees with the credentials so account access fails. I already feel sorry for the poor Google engineer who had to make all of this work with variable IP addresses behind NATs.