Home » Don’t understand how my mum’s Gmail account was hacked

Don’t understand how my mum’s Gmail account was hacked

Solutons:


IMPORTANT: this is based on data I got from your link, but the server might implement some protection. For example, once it has sent its “silver bullet” against a victim, it might answer with a faked “silver bullet” to the same request, so that anyone investigating is led astray. I have tried sending a fake parameter of cHVwcGFtZWxv to see whether it triggered any different behaviour, and it did not. Still, that’s no great guarantee.

UPDATE – the above still holds, but I’ve been making tests from random IPs not traceable to my main session – the attacking server does not discriminate, and will blithely answer to a query regardless of browser, referer, and JS/Flash/Java support.


The link you received contained, already embedded in the URL, the following parameters – I have slightly changed them so the correct form won’t appear in Google searches of Stack Exchange (I swapped the first letters).

jebe1shebe@hotmail.co.uk
hunalx@googlemail.com

The link injects a Javascript that first of all retrieves your location through a Geotrack API call, then loads another script. (I had initially mistaken this for a GMail command; my bad).

The second script loads a web page, but also presents several replicas of Login pages of popular accounts (Hotmail, GMail and so on) depending on the incoming email: GMail accounts get a fake GMail page, and so on, all of these pages saying what amounts to “Oooh, session expired! Would you mind logging in again?“.

For example, clicking here (do not do so while logged in GMail, just in case)

hxxp://23.88.82.8/d/?p=puppa@gmail.com&jq=SVQ7RmxvcmVuY2U=

will display a fake Google account login (for a nonexisting user ‘puppa’).

The real login pages come from

http://ww168.scvctlogin.com/login.srf?w...
http://ww837.https2-fb757a431bea02d1bef1fd12d814248dsessiongo4182-en.msgsecure128.com

which are fire-and-forget domains.

The server that receives the stolen usernames and passwords is apparently always the same, a ShineServers machine on 31.204.154.125, a busy little beaver. Most of these URLs have been submitted to various services and were seen as far back as January.

Phishing and Two-Factor authentication

I’m of two minds about the usefulness of TFA in this scenario. As I see it, and I may well be mistaken or overlooking something,

  • the victim clicks on the link
  • gets “disconnected” and prompted to “reconnect” by a phishing screen
  • enters [username and] password
  • attacker attempts login and gets redirected to “Enter Secure Code”
  • a secure code is sent to the victim
  • attacker sends to victim an “Enter Secure Code” screen
  • (most?) victims enter secure code too
  • victim account is compromised

What could one do

  • Check out the URL appearing on the address bar. Verify SSL certificates.
  • Never login to anything unless it comes from a bookmark or a manually typed link, paying attention to common misspellings. If a login screen appears during navigation, just close the browser and reopen it.
  • Enter into the paranoid habit of always inserting a wrong password first, one you would never use, then the correct one on the “Login failed” screen. If the wrong password gets accepted… (of course, the attacker might always reply WRONG! to the first attempt. He has to balance the cost of scaring some victims against the benefit potential of capturing some others. As long as the number of two-attempters is negligible, two-attempting is a winning strategy for them. If everybody does it, it won’t work).
  • There are services, such as OpenDNS as pointed out by @Subin, or embedded in the browser itself, that verify the incoming site against a distributed list and refuse to connect to a known phishing site.

What could a developer do

Maybe, just maybe, it would be possible to develop a “This page looks like this other page” application. Probably it would be terribly heavy on the system. In its most basic and thwartable form, if the HTML code contains ‘Enter Google password’ and the URL is not gmail, then a large blood-red banner appears saying JUST DON’T.

Another (thwartable again) possibility is to employ a honey-token approach and deny form submissions that contain a password.

What could Google do

This is a bit of a pet peeve of mine. The phishing screen uses data on Google servers, for Pete’s sake, so that those servers clearly see a login logo being requested by your mom with a referer of phishers’r’us dot com. What do those servers do? They blithely serve the logo as is! If I were to manage such a server, a request for your avatar image (or any image) from any page not on my site would, yes, indeed get an image. I would probably get in no end of trouble for the image I’d choose. But it would be very unlikely that someone would willingly enter his/her password on such a screen.

Of course, the attackers would just mirror the images on their websites. But I can think of many other tricks. For example, if a browser on 1.2.3.4 asked me for a login avatar, I might be wary of a password confirmation coming from address 9.8.7.6 a few seconds later, especially if other passwords for other accounts had come in similar circumstances from the same address in the last few minutes.

A twist: as suggested by a commenter (which I still have to thank for the insight), Google has actually oversight on the incoming requests as well as GMail displayed messages. With a bit of data analysis, it can then know with good certainty phishing sites almost in real time, and phishers mirroring sites doesn’t thwart this kind of analysis very much (it is mostly based on data garnered from the victim). Then Google can supply the addresses of known sites to a browser extension (e.g. Chrome site protection).

I still think that they could do both – defend the login screen and use data mining to find out who the phishers are – but I’ll accept that I am not justified in saying that Google is actually doing nothing.

More complicated tricks

Also, I might complicate the login screen with challenge/responses invisible to the user that the attacker would have to match, and based on browser fingerprinting. You want to log in, you send the password from the same login screen that prompted you. This too can be thwarted, quite easily.

But having to do twenty easy things to compromise an account is difficult. Also because if you do seventeen right, I (the server) mark your address, and maybe redirect you to a fake sandbox account if you do succeed to log in in the next hours. And then I just look at what you do. You do little, I replicate on the real account and if you’re honest, you’ll never even know. More than X too-similar emails, or sent too fast, and I’ll know. Of course the account will remain open and blithely accept all your spam. Why not. Send it? Well… that’s another matter, now, isn’t it?

I had a customer who was hacked in this exact way (going into the Gmail activity information showed the exact same UK–based IP addresses) a bit after your mother received that.

She had been phished only an hour before seeing me, so after being prompted was able to recall all the steps.

After clicking the phishing link, she was taken to a page full of ads where multiple popup windows opened. She closed one of the popup windows, thinking she was “back” to where she was, only to be taken to a window that looked like a Gmail logon.

It was in here that the credentials were entered, and not long after that the account was used to send phishing e-mails to everyone in her contacts list.

Her Gmail password had been reset, but fortunately using SMS verification was able to use the old password to reset to something new.

Well, here is my guess.

Probably what happened is that the web page had an exploit which affects the browser and it simply took control of the browser itself managed to access the GMail session and used to send the e-mail from there.

Probably the exploit didn’t even crack the password whatsoever.

Related Solutions

How to download package not install it with apt-get command?

Use --download-only: sudo apt-get install --download-only pppoe This will download pppoe and any dependencies you need, and place them in /var/cache/apt/archives. That way a subsequent apt-get install pppoe will be able to complete without any extra downloads....

What defines the maximum size for a command single argument?

Answers Definitely not a bug. The parameter which defines the maximum size for one argument is MAX_ARG_STRLEN. There is no documentation for this parameter other than the comments in binfmts.h: /* * These are the maximum length and maximum number of strings...

Bulk rename, change prefix

I'd say the simplest it to just use the rename command which is common on many Linux distributions. There are two common versions of this command so check its man page to find which one you have: ## rename from Perl (common in Debian systems -- Ubuntu, Mint,...

Output from ls has newlines but displays on a single line. Why?

When you pipe the output, ls acts differently. This fact is hidden away in the info documentation: If standard output is a terminal, the output is in columns (sorted vertically) and control characters are output as question marks; otherwise, the output is...

mv: Move file only if destination does not exist

mv -vn file1 file2. This command will do what you want. You can skip -v if you want. -v makes it verbose - mv will tell you that it moved file if it moves it(useful, since there is possibility that file will not be moved) -n moves only if file2 does not exist....

Is it possible to store and query JSON in SQLite?

SQLite 3.9 introduced a new extension (JSON1) that allows you to easily work with JSON data . Also, it introduced support for indexes on expressions, which (in my understanding) should allow you to define indexes on your JSON data as well. PostgreSQL has some...

Combining tail && journalctl

You could use: journalctl -u service-name -f -f, --follow Show only the most recent journal entries, and continuously print new entries as they are appended to the journal. Here I've added "service-name" to distinguish this answer from others; you substitute...

how can shellshock be exploited over SSH?

One example where this can be exploited is on servers with an authorized_keys forced command. When adding an entry to ~/.ssh/authorized_keys, you can prefix the line with command="foo" to force foo to be run any time that ssh public key is used. With this...

Why doesn’t the tilde (~) expand inside double quotes?

The reason, because inside double quotes, tilde ~ has no special meaning, it's treated as literal. POSIX defines Double-Quotes as: Enclosing characters in double-quotes ( "" ) shall preserve the literal value of all characters within the double-quotes, with the...

What is GNU Info for?

GNU Info was designed to offer documentation that was comprehensive, hyperlinked, and possible to output to multiple formats. Man pages were available, and they were great at providing printed output. However, they were designed such that each man page had a...

Set systemd service to execute after fstab mount

a CIFS network location is mounted via /etc/fstab to /mnt/ on boot-up. No, it is not. Get this right, and the rest falls into place naturally. The mount is handled by a (generated) systemd mount unit that will be named something like mnt-wibble.mount. You can...

Merge two video clips into one, placing them next to each other

To be honest, using the accepted answer resulted in a lot of dropped frames for me. However, using the hstack filter_complex produced perfectly fluid output: ffmpeg -i left.mp4 -i right.mp4 -filter_complex hstack output.mp4 ffmpeg -i input1.mp4 -i input2.mp4...

How portable are /dev/stdin, /dev/stdout and /dev/stderr?

It's been available on Linux back into its prehistory. It is not POSIX, although many actual shells (including AT&T ksh and bash) will simulate it if it's not present in the OS; note that this simulation only works at the shell level (i.e. redirection or...

How can I increase the number of inodes in an ext4 filesystem?

It seems that you have a lot more files than normal expectation. I don't know whether there is a solution to change the inode table size dynamically. I'm afraid that you need to back-up your data, and create new filesystem, and restore your data. To create new...

Why doesn’t cp have a progress bar like wget?

The tradition in unix tools is to display messages only if something goes wrong. I think this is both for design and practical reasons. The design is intended to make it obvious when something goes wrong: you get an error message, and it's not drowned in...

OpenSSH: How to end a match block

To end up a match block with openssh 6.5p1 or above, use the line: Match all Here is a piece of code, taken from my /etc/ssh/sshd_config file: # Change to no to disable tunnelled clear text passwords PasswordAuthentication no Match host 192.168.1.12...

Redirecting the content of a file to the command “echo”

You can redirect all you want to echo but it won't do anything with it. echo doesn't read its standard input. All it does is write to standard output its arguments separated by a space character and terminated by a newline character (and with some echo...