Gmail hack – how was it done?

4 points by pierrel2 ↗ HN
My daughter's Gmail was apparently hacked (spam was sent to all her contacts) - how was it done? Here are some relevant facts: 1) she had 2-factor authentication (using SMS) in place for months before the incident. 2) the access log on Gmail shows only accesses from her home computer and her phone. 3) home computer is a Mac with Apple Mail - no viruses found on the machine 4) iPhone Mail is also connected to her Gmail.

What's the most likely attack vector?

7 comments

[ 3.1 ms ] story [ 28.2 ms ] thread
It could've been email spoofing[1], where the attacker sends an email with a worm and makes it look like it was sent from a friend. Once the email is opened by the recipient, the worm sends a similar email to the recipient's contacts, which continues to spread the spam.

[1] http://en.wikipedia.org/wiki/E-mail_spoofing

She signed-up to some pseudo social crappy network where in the process she was asked if she wants to notify her contacts about her new status or so, and was presented with gmail logo and login screen.

Or she gave some App the rights to access her gmail contacts.

I think we need more detailed information to identify the cause of the spamming...There could be several strategies to spam her contacts with her account, even with the facts that you listed (assuming fact No. 3 really is what it appears to be, as virus detection itself is an open problem -- and in theory this problem is indeterministic).

2-factor authentication (with SMS) in place should be able to rule out the possibility to have her account accessed somewhere else, other than the computer and smart phone she uses. But there is also the possibility that someone else obtained all the contacts in your daughter's gmail, and then spam with a fake originating mail server. The critical path for this attacking strategy does not involve 2-factor authentication and your machines.

Another scenario could be her iphone has been compromised and hence have all the information stored on it exposed to the attacker, including the SMS (and once the attacker obtained control of the iphone, he/she could delete the text message and erase the trail after the attack). You need to check the SMS record with the telecommunication SP to see if there was any text message containing the 2-factor password sent from google to your daughter's number.

But in the case either your daughter's mac or iphone has virus in it, and you failed to find it out (which could happen to anyone), this could be another possible cause.

At this time, perhaps we could also do several other things to mitigate the impact of this attack...

1) all the contacts she cares should be alerted about this account compromise (there have been cases in the past where compromised account has been used to swindle money).

2) change the gmail password.

3) check the vacation responder (e.g. auto-response) of the gmail account (gmail settings -> General -> Vacation responder) see if it has been cleared.

4) set different mail signature for all the different mail clients she uses (this could be done through each mail client's own configuration), and also the signature for the gmail account (gmail settings -> General -> signature), in the sense of marking the different critical paths of sending mail. So next time we could find out where (in terms of the apps and client) the spam is sent from, in case it happens again.

She probably registered to a forum or the other portal and she used her email with the same gmail password. And then the data (list of emails and passwords) form a forum/portal leaked. Ask her if she use the one password to all accounts.
and that's why she has 2 factor auth.