Answer the question
In order to leave comments, you need to log in
Sending spam via the gmail web interface. Why would?
Today around 11:00 am (MSK) one of my gmail accounts (let it be [email protected]) began to send massive spam with a link like http://<different domains>/<different paths>/ugoogle.html. The link is nothing particularly criminal, just a redirect with a referral to a site in the “make money on the Internet” style.
It would seem that everything is simple and clear, I caught a sucker, a virus that took away my password / cookies and crap. But what confuses me is that I tried to always live the “correct” IT life, namely:
Hidden text1. In most cases I use linux (thoughtfully compiled and distributed via BINHOST by gentoo) and the latest versions of FF ESR (noscript, requestpolicy, adblock, flash is included in a separate profile that is only for flash) and chromium (ScriptNo, adblock, flashblock). For imap - the latest thunderbird ESR. Phone - nokia n900 with maemo.
1.1 The remaining case is a computer running Windows 7 x64, regularly updated, DrWeb 6.0 (license) with fresh databases updated every three hours and FF with separated profiles: a profile with working information (all the same plugins as under linux) , a separate profile for mail and payment transactions with a bare browser, as many payment sites go crazy with security plugins. Yes, I understand that this is the “bottleneck” place, but I seem to have taken all possible security measures under Windows (for example, I turned off the “Server” service), and the Internet at work through an iota distributed by a dedicated computer with Kerio Control. Yes, and the login from this computer was a few days ago.
2. Password with entropy similar to the password "dbvuyGcxPy%". Yes, I know about two-factor authentication, but I don't want to give my cell phone to Google. Email for recovery on your own server, which was not accessed by the left.
3. Never went to the post office anywhere other than the above. There is no need, since you have a phone with the box settings set in with you.
4. I never used the “Remember me” checkbox on the web. As well as the function of saving passwords in the browser. The password is only stored in the thunderbird settings, protected by a master password (with similar entropy).
The spam headers are as follows (* - stripped private data):
Hidden text Delivered-to: * gmail .com
Received: by 10.58.207.20 with SMTP id ls20csp410753vec; Mon, 5 Nov 2012
23:27:43 -0800 (PST)
Received: by 10.180.87.230 with SMTP id
bb6mr17041767wib.6.1352186863636; Mon, 05 Nov 2012 23:27:43 -0800 (PST)
Return-path: <[email protected]>
Received: from mail-we0-f195.google.com (mail-we0-f195.google.com
[74.125 .82.195]) by mx.google.com with ESMTPS id
fp2si8850840wib.6.2012.11.05.23.27.43 (version=TLSv1/SSLv3
cipher=OTHER); Mon, 05 Nov 2012 23:27:43 -0800 (PST)
Received-spf: pass (google.com: domain of [email protected] designates
74.125.82.195 as permitted sender) client-ip=74.125.82.195;
Authentication-results: mx.google.com; spf=pass (google.com: domain of
[email protected] designates 74.125.82.195 as permitted sender)
[email protected]; dkim=pass header.i= gmail.com Received : by mail-we0-f195.google.com
with SMTP id z53so12199wey.2 for
<* gmail.com >; Mon, 05 Nov 2012 23:27:43 -0800 (PST)
Return-path: <[email protected]>
Received-spf: pass (google.com: domain of * gmail .com designates
10.180.87.230 as permitted sender) client-ip=10.180.87.230
Received: from mr.google.com ([10.180.87.230]) by 10.180.87.230 with
SMTP id bb6mr19781532wib.6.1352186862711 (num_hops = 1); Mon, 05 Nov
2012 23:27:42 -0800 (PST)
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com;
s=20120113; h=mime-version:date:message-id:subject:from:to:content-type;
bh=FmodzDaoDrD+RsAH3/ViG/fUMeJRfJ+FiO766qwYo10=;
FxOEcPZh695P6Klc = b / QerSSLfiU3dV4PMEOFFcUcRAHDp1cMGKhh3ZAMBtnbe9PHxVy
zY8rgtiSonshdq1 / yk16fZEnarN5i7 + + MOP9UEv5mmB3M0i3v VX4B6owVdB4x06hk8Sg
fZaCID85UG2cFqBno95FvmnEnBEvleesRbQdF0KbYTHDt + 7RsYMczKVokLGjKQcDz5VZ
pKL3lpPrXcgYgUwtdn24otYhj8hewsWwcFr3g / YD3 cNiHl7LlUOk2V + + k / yzn5UR7aRq
MgvsHwydUPra604NfVpGSLxn / ZXMBAOuDjCwP7yL1BbGiaQn5jLpo63puNjnE / P1 / fxi
0S9A ==
Mime-version: 1.0
Received: by 10.180.87.230 with SMTP id
bb6mr17023834wib. 6.1352186560963; Mon, 05 Nov 2012 23:22:40 -0800 (PST)
Received: by 10.216.114.7 with HTTP; Mon, 5 Nov 2012 23:22:40 -0800
(PST)
Date: Tue, 6 Nov 2012 11:22:40 +0400 (06. nov. 2012 kl. 08.22 +0100)
Message-id:
<CAPvRhhQDA=f3CGHfuWNq-fh5s* mail .gmail.com>
Subject:
From: * <myemail @gmail.com>
To: * gmail .com, * mail .ru,
* yandex .ru, * yandex .ru, * mail .ru
Content-type: text/plain; charset=ISO-8859-1
http://*/zoiwipqueio/ugoogle.html
Spam was distributed to all addresses appearing in the box: those who wrote to me, those to whom I wrote, as well as to all the jids in the Google talk, but by email (i.e. there were attempts to send spam to an address like [email protected]) in 20 minutes.
Then they began to write angry contacts to me, after 40 minutes I got to the computer (unfortunately I did not find how to change the password through the Google mobile interface), changed the password (no one changed my password on the box), and turned off all outsiders. From suspicious activity in the "Recent activity" list, IP 66.18.115.126 (USA) was detected, which came from the browser at the time of spam.
Now I have questions:
1) What was it all the same? Still, a banal Trojan climbed onto a working Windows contrary to all measures? Or maybe my paranoia, linking the recent updates of the web interface and the incident that happened, is not so groundless and someone has already had this?
2) What should I do now? Whether to write somewhere in Google? If yes, then where? I heard about the ignore from Google support, so the answer to the question is not obvious to me.
Answer the question
In order to leave comments, you need to log in
Think about the following options for obtaining your password:
1) Your password could theoretically be phished, for example, when you were using Wi-Fi from some iPhone.
2) Or you entered your password on a fake purportedly Google page, such as one hosted at sites.google.com (a trusted domain).
3) Or still a Trojan, which, for example, was hiding in a pirated program. downloaded from torrent.
4) Or an evil browser extension that steals passwords and cookies.
5) Or some android application that you have given access to your Google account.
6) Or you use Java/Adobe Acrobat (but why???) and surf the Internet with these backdoors that have been opening wide doors to all hackers in the world for ten years now.
7) Fake DNS, which redirected requests to gmail to another domain.
And double authorization is good, when you try to log in from another IP, Google immediately turns on paranoia.
Antivirus only helps against old Trojans. Now even schoolboy bot growers check their bundles of exploits for undetected by antiviruses before launching them on the network, and they have several days before they fall into the hands of virus analysts. For this reason, relying on an antivirus is pretty stupid.
I would look in Windows at the simplest thing possible - a list of processes, startup, suspicious traffic + logs + everything that you can see for yourself + checked with another antivirus.
If there was an entrance from someone else's IP, then the password was taken away. If the problem was in the interface, for example, CSRF or XSS in the Google web interface would be used to send spam, then your IP would appear in the mailing, because. actions would then be performed through the browser.
Another issue is that a Trojan was not necessarily used. Either a vulnerability in the Google interface or a vulnerability in the browser could be used to replace the form with a password. Remember if there was such a thing that the password was requested at an unusual moment, for example, while reading a letter.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question