As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
Someone keeps accessing my Gmail
JRosey
Registered User regular
Registered User regular
For the past six months someone or something has been accessing my GMail account and sending out spam. Every time I have changed my password to somethig I don't use anywhere else, set up two-step authorization, and have even built a new PC. I can see that someone is accessing my account using Google's recent activity thingy and the IP of the accused jumps from California to Ohio to DC, probably from behind a VPN. Is there anything else I can do besides giving up on my beloved GMail account?
0
Posts
- edit - and a keylogger seems awfully overkill just to send a monthly spam email.
I'm on tablet so can't check, but believe there's a "log out of everything" option/button. Maybe set up new info on friend's machine, log out of all Google services and see what happens.
This. With with two factor enabled, it won't have any affect on mobile apps when you change your password because it already forces you to use a specially created password for that specific app.
Most spam is actually sent out in a way where the supposed sender is faked, so that is pretty normal and for someone to repeatedly gain access to a gmail account to do such a thing seems unlikely. Faking a e-mail address is easy, not keeping hold of a gmail account except if one has a infected PC.
OP - are you sure about the thing about someone else logging in on you google-account? Pinpointing from where login has taken place geographically is not a precise thing fx. it here in Europe it is not uncommon to be seen as being in a different country.
It's been awhile since I've messed with my gmail, but if there is an app/device with built in permissions that has an already granted access to it, then I don't think the password change itself will do anything as it's already authenticated in a different way. I'd contact google themselves and see if there is a way they can basically revoke all access to your account and require it to all be set up again. Meaning you log in with your two factor, then every device you want to access you need to start the process over on again.
There are two possibilities here.
1. Your email is not actually compromised. You are logging in from a nexus 5 that thinks it's elsewhere for some reason I can't really tell. Someone found your contacts list and is sending spam in your name but not from your email address.
2. Your email is compromised and you're part of a botnet (there is little to no other explanation for you having a compromised email but having no other noticeable adverse effects). There are a million ways this could have happened, but I will echo everyone else's concern regarding you getting two factor authentication. That should essentially stop outsiders from logging into your account without some serious juju.
It's NOT worth a man-in-the-middle attack to add a computer to a botnet. In fact, it's not worth almost ANY kind of attack to add a computer to a botnet. I would try to give google a call if you can, and try to sort this out. Fortunately it's unlikely you're the victim of identity theft or something else also serious and ongoing, unless the hoodlum in question is incredibly bold. We're talking hide the letter on the mantle level stuff here- if you've got access there's no reason to advertise it for something as cheap as a spam email.
I would, in either case, try to get with google's customer support and try to sort it out with them. Last resort, exterminatus level "nuke it from orbit" would be to use a 3rd party computer (a friend, preferably someone very infosec conscious) to change your google password, enable 2 factor authentication (with the google app, not with the text message), and then scrub your computer by backing everything up and returning to factory.
Click on account, click on security.
Under account permissions, click on view all.
Revoke anything that looks bananas.
Not sure if that helps, but it's a place to start.
Since it's the same phone type as yours, it may be possible what's compromised is your phone, and not your PC or gmail specifically.
Have one of your friends forward you the headers of one of the spam mails and see if the mail is truly originating from gmail. I suspect it is not. When you do email from a phone the logged in IP address tends to be from the phone companies datacenter, which can jump around as well.
This is one area.
Also go to app passwords.
These are one time generated passwords that you don't need to update if you change your password.
It's a good feature but can obviously be used in a sneaky way.
Satans..... hints.....
If you have two-factor auth enabled and you change your password, everything you logged into using two-factor auth gets logged out. I just changed my Gmail password a few weeks ago and had to log into all the Google apps on my iPhone again.
This doesn't apply to the one time passwords that Blake T mentioned.
But if your contacts are getting e-mails from "you", then that's a bit more disconcerting.
Is this still happening after following the advice in this thread (that is, turning on two-step authorization and removing all application passwords)?
Google has a page with the details steps you can follow, though it rehashes a lot of the advice from this thread
https://support.google.com/mail/checklist/2986618
You can also tell Google the details of the e-mails purportedly from you (though they can't/won't respond to individual requests)
https://support.google.com/mail/answer/50200?hl=en&ref_topic=3406179
Think of email like a postcard. The "From" address is like the return address; the sender can put whatever they want there. In a practical sense, there's little you can do to stop this -- by examining the email headers (which are usually hidden in the advanced email options) you can sometimes tell if the From: address is forged, but not always.
It's possible someone could get into your account once, copy your contact list, and then continue sending email that looks like it's from you after you've changed your account password.