Dealing with a cracked email account

Today afternoon my GMail account was cracked while I was away from my computer. Thousands of SPAM mails were sent from my account. One of my contacts in Italy reported the incident in couple of hours.

The whole incident was an embarrassment as I consider myself very security conscious and pride myself in never having such a thing happen to me. But it happened any way and lessons learned – you can not be complaisant just because you use reasonably secure platform (GNU/Linux + Firefox) to get on-line. You have to be really aware about new security threats emerging everyday!

As an immediate action I did

  • Changed my GMail Account password (I always keep reasonably strong password) – twice.
  • Taken a local backup of my GMail Address book and removed all the contacts from GMail Address book
  • Downloaded and installed latest version of Firefox
  • Cleared all my private data and cache from the browser
  • Removed stored passwords from Firefox
  • Taken the screen-shot of the IP Address as reported by GMail
  • Done “whois” and tracked the IP Address to a Chinese ISP

I also reported the incident to Indian Computer Emergency Response Team. Apart from that I have written to Chinese ISP to their abuse report email address and also alerted my ISP (Airtel) of the incident.

There are two possibilities of these security breach –

Firefox 3.0.13 Vulnerability as given here.

Or it could be vulnerability in my ADSL Router Provided by my ISP (Airtel).

I do not trust these cheap Chinese made ADSL Routers which may have unidentified trojan(s). I do not think these routers are security audited by any of our security agencies and can be used to carry out man-in-the-middle attacks.

You must be wondering why go to such a length to report such “small” thing? The incident is an instance of Identity Theft. The SPAM emails sent from my account may have really damaged my reputation with all the people I know who are in my contact list. The things could get worst if my email ID is used for sending any incriminating email and can even land me in jail!

I am writing this in the hope that, if ever, such a thing happens to you this info could prove useful in taking appropriate action.

Here is the original mail with headers, screen-shot of the connection report as provided by GMail and “whois” record of offending IP Address.

Original Email

Delivered-To: “Real email address removed”
Received: by 10.86.60.3 with SMTP id i3cs162823fga;
Sun, 23 Aug 2009 03:57:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.5.27 with SMTP id 27mr188303wfe.59.1251025032597; Sun, 23
Aug 2009 03:57:12 -0700 (PDT)
Date: Sun, 23 Aug 2009 18:57:12 +0800
Message-ID:
Subject: Shopping
From: =?UTF-8?B?RGluZXNoIFNoYWggKOCqpuCqv+CqqOCrh+CqtiDgqrbgqr7gqrkv4KSm4KS/4KSo4KWH4KS2IA==?=
=?UTF-8?B?4KS24KS+4KS5KQ==?=
To: “Real email addresses removed”
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi.
I am sorry to say that the impact of your work, this is the company
with your friends by e-mail the information to do publicity, we know
that this is the improper way, please understand …! However, our
goal is very friendly, and absolutely no deception, in order to
long-term viability and credibility,It can offer you all kinds of
products that variety of brand-name merchandise can be found here
(Nike=E3=80=81Gucci=E3=80=81Puma=E3=80=81Bape=E3=80=81 A & F=E3=80=81D =
&
G=E3=80=81Adidas=E3=80=81Chanel=E3=80=81Fendi=E3=80=81shoe=E3=80=81wrap=E3=
=80=81POLO=E3=80=81clothes=E3=80=81the the sun
mirror=E3=80=81microphone=E3=80=81Watches ……).
Its website is http://www.ccoshop. com Here there are many special
commodities=E3=80=81quality assurance.
I hope you Happy shopping!You can take some time to have a check
,there must be something interesting you ‘d like to purchase .
Sincere greetings:Happiness and joy with your

Email Account Hijacking
Email Account Hijacking

WHOIS Record of IP

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 123.4.0.0 – 123.7.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: WW444-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HA
mnt-routes: MAINT-CNCGROUP-RR
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20061120
changed: hm-changed@apnic.net 20090507
changed: hm-changed@apnic.net 20090508
source: APNIC

route: 123.4.0.0/14
descr: CNC Group CHINA169 Henan Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20070111
source: APNIC

person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: abuse@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
changed: abuse@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC

person: Wei Wang
nic-hdl: WW444-AP
e-mail: abuse@public.zz.ha.cn
address: #37 Wei Wu Road, Zhengzhou, Henan Provice
phone: +86-371-65952358
fax-no: +86-371-65968952
country: CN
changed: wangw@data.zz.ha.cn 20060205
mnt-by: MAINT-CNCGROUP-HA
source: APNIC

Advertisements

2 thoughts on “Dealing with a cracked email account

  1. Dude

    I too got that wonderful mail from you.

    I always add one more security setting in my gmail a/c.

    Settings > Browser connection : Always use https

    By default, gmail uses https only for login.

    Like

    1. Thanks for your comment.

      And sorry for the inconvenience caused due to SPAM.

      I am already using HTTPS for connecting to GMail.

      It seems that the attacker has used XSS vulnerability in FF 3.0.13

      I am still investigating.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s