Today afternoon my GMail account was cracked while I was away from my computer. Thousands of SPAM mails were sent from my account. One of my contacts in Italy reported the incident in couple of hours.
The whole incident was an embarrassment as I consider myself very security conscious and pride myself in never having such a thing happen to me. But it happened any way and lessons learned – you can not be complaisant just because you use reasonably secure platform (GNU/Linux + Firefox) to get on-line. You have to be really aware about new security threats emerging everyday!
As an immediate action I did
- Changed my GMail Account password (I always keep reasonably strong password) – twice.
- Taken a local backup of my GMail Address book and removed all the contacts from GMail Address book
- Downloaded and installed latest version of Firefox
- Cleared all my private data and cache from the browser
- Removed stored passwords from Firefox
- Taken the screen-shot of the IP Address as reported by GMail
- Done “whois” and tracked the IP Address to a Chinese ISP
I also reported the incident to Indian Computer Emergency Response Team. Apart from that I have written to Chinese ISP to their abuse report email address and also alerted my ISP (Airtel) of the incident.
There are two possibilities of these security breach –
Firefox 3.0.13 Vulnerability as given here.
Or it could be vulnerability in my ADSL Router Provided by my ISP (Airtel).
I do not trust these cheap Chinese made ADSL Routers which may have unidentified trojan(s). I do not think these routers are security audited by any of our security agencies and can be used to carry out man-in-the-middle attacks.
You must be wondering why go to such a length to report such “small” thing? The incident is an instance of Identity Theft. The SPAM emails sent from my account may have really damaged my reputation with all the people I know who are in my contact list. The things could get worst if my email ID is used for sending any incriminating email and can even land me in jail!
I am writing this in the hope that, if ever, such a thing happens to you this info could prove useful in taking appropriate action.
Here is the original mail with headers, screen-shot of the connection report as provided by GMail and “whois” record of offending IP Address.
Delivered-To: “Real email address removed”
Received: by 10.86.60.3 with SMTP id i3cs162823fga;
Sun, 23 Aug 2009 03:57:13 -0700 (PDT)
Received: by 10.142.5.27 with SMTP id 27mr188303wfe.59.1251025032597; Sun, 23
Aug 2009 03:57:12 -0700 (PDT)
Date: Sun, 23 Aug 2009 18:57:12 +0800
To: “Real email addresses removed”
Content-Type: text/plain; charset=UTF-8
I am sorry to say that the impact of your work, this is the company
with your friends by e-mail the information to do publicity, we know
that this is the improper way, please understand …! However, our
goal is very friendly, and absolutely no deception, in order to
long-term viability and credibility,It can offer you all kinds of
products that variety of brand-name merchandise can be found here
(Nike=E3=80=81Gucci=E3=80=81Puma=E3=80=81Bape=E3=80=81 A & F=E3=80=81D =
=80=81POLO=E3=80=81clothes=E3=80=81the the sun
Its website is http://www.ccoshop. com Here there are many special
I hope you Happy shopping!You can take some time to have a check
,there must be something interesting you ‘d like to purchase .
Sincere greetings:Happiness and joy with your
WHOIS Record of IP
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 184.108.40.206 – 220.127.116.11
descr: China Unicom Henan province network
descr: China Unicom
status: ALLOCATED PORTABLE
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
changed: firstname.lastname@example.org 20061120
changed: email@example.com 20090507
changed: firstname.lastname@example.org 20090508
descr: CNC Group CHINA169 Henan Province Network
changed: email@example.com 20070111
person: ChinaUnicom Hostmaster
address: No.21,Jin-Rong Street
changed: firstname.lastname@example.org 20090408
person: Wei Wang
address: #37 Wei Wu Road, Zhengzhou, Henan Provice
changed: email@example.com 20060205