Someone keeps accessing my Gmail

JRoseyJRosey SeattleRegistered User regular
For the past six months someone or something has been accessing my GMail account and sending out spam. Every time I have changed my password to somethig I don't use anywhere else, set up two-step authorization, and have even built a new PC. I can see that someone is accessing my account using Google's recent activity thingy and the IP of the accused jumps from California to Ohio to DC, probably from behind a VPN. Is there anything else I can do besides giving up on my beloved GMail account?

XBL: Cathadal

Posts

  • TychoCelchuuuTychoCelchuuu PIGEON IndiaRegistered User regular
    Jesus. Did your new PC have any files from the old one? I can't really think of how someone is managing this outside of a keylogger. Are you sure they're using your account and not just spoofing it so that it looks like you're sending the messages? Like, the messages show up in your sent folder?

  • JRoseyJRosey SeattleRegistered User regular
    edited September 2014
    The messages don't show up in my sent folder actually, but my friends have shown me the emails they get from me. And like I said - Google certainly thinks I'm logging in from a Nexus 5 in various states when I am in reality not. I did keep one of my old hard drives. Am I super screwed?
    - edit - and a keylogger seems awfully overkill just to send a monthly spam email.

    JRosey on
    XBL: Cathadal
  • MichaelLCMichaelLC In what furnace was thy brain? ChicagoRegistered User regular
    How can they bipass two-factor? Assume you mean you set a password then require a text to your phone for access?

    I'm on tablet so can't check, but believe there's a "log out of everything" option/button. Maybe set up new info on friend's machine, log out of all Google services and see what happens.

    "Never believe management about anything anywhere." -Aistan
    EchoZilla360
  • zerzhulzerzhul Registered User, Moderator mod
    Yeah, I'm pretty surprised by the bypassing of two factor as well. When I set up two factor on a google account, it force logged me out of everything everywhere until I could provide new auth using two factor.

    Echo
  • JRoseyJRosey SeattleRegistered User regular
    Yeah the two step is a standard texted password. That's the part that really has me paranoid. That and the lameness of the actual spam (its for a fat burning pill). I will attempt the total log out but I did already deny all apps and websites access to my account.

    XBL: Cathadal
  • MichaelLCMichaelLC In what furnace was thy brain? ChicagoRegistered User regular
    Also be sure to check the approved application list for your account as well. It's for things like phone email etc.

    "Never believe management about anything anywhere." -Aistan
    LostNinjaInquisitor77
  • LostNinjaLostNinja Registered User regular
    MichaelLC wrote: »
    Also be sure to check the approved application list for your account as well. It's for things like phone email etc.

    This. With with two factor enabled, it won't have any affect on mobile apps when you change your password because it already forces you to use a specially created password for that specific app.

  • puffycowpuffycow Registered User regular
    When your friends show you the email from "you" is it actually from your email address or do they just display your name and the email address itself is something more random? I know that's a common trick as well.

    FrankForum-1.jpg
    GonmunPacificstarSkeith
  • BlindZenDriverBlindZenDriver Registered User regular
    puffycow wrote: »
    When your friends show you the email from "you" is it actually from your email address or do they just display your name and the email address itself is something more random? I know that's a common trick as well.
    That. And also there is no stopping those sending e-mail to pretend they are sending it from whatever address they like and that includes the domain.

    Most spam is actually sent out in a way where the supposed sender is faked, so that is pretty normal and for someone to repeatedly gain access to a gmail account to do such a thing seems unlikely. Faking a e-mail address is easy, not keeping hold of a gmail account except if one has a infected PC.

    OP - are you sure about the thing about someone else logging in on you google-account? Pinpointing from where login has taken place geographically is not a precise thing fx. it here in Europe it is not uncommon to be seen as being in a different country.

    Bones heal, glory is forever.
  • EclecticGrooveEclecticGroove Registered User regular
    He did comment that Google states it thinks he's coming in from a Nexus 5, which I assume is not a phone he owns based on that statement (but I could be wrong).

    It's been awhile since I've messed with my gmail, but if there is an app/device with built in permissions that has an already granted access to it, then I don't think the password change itself will do anything as it's already authenticated in a different way. I'd contact google themselves and see if there is a way they can basically revoke all access to your account and require it to all be set up again. Meaning you log in with your two factor, then every device you want to access you need to start the process over on again.

  • RendRend Registered User regular
    Do you log in from a Nexus 5? If you never use a Nexus 5 to log in this becomes a lot more damning.

    There are two possibilities here.
    1. Your email is not actually compromised. You are logging in from a nexus 5 that thinks it's elsewhere for some reason I can't really tell. Someone found your contacts list and is sending spam in your name but not from your email address.

    2. Your email is compromised and you're part of a botnet (there is little to no other explanation for you having a compromised email but having no other noticeable adverse effects). There are a million ways this could have happened, but I will echo everyone else's concern regarding you getting two factor authentication. That should essentially stop outsiders from logging into your account without some serious juju.

    It's NOT worth a man-in-the-middle attack to add a computer to a botnet. In fact, it's not worth almost ANY kind of attack to add a computer to a botnet. I would try to give google a call if you can, and try to sort this out. Fortunately it's unlikely you're the victim of identity theft or something else also serious and ongoing, unless the hoodlum in question is incredibly bold. We're talking hide the letter on the mantle level stuff here- if you've got access there's no reason to advertise it for something as cheap as a spam email.

    I would, in either case, try to get with google's customer support and try to sort it out with them. Last resort, exterminatus level "nuke it from orbit" would be to use a 3rd party computer (a friend, preferably someone very infosec conscious) to change your google password, enable 2 factor authentication (with the google app, not with the text message), and then scrub your computer by backing everything up and returning to factory.

    Tofystedeth
  • EchoEcho Moderator mod
    Just so we can get that out of the way: are you checking active sessions at the bottom right on the Gmail page?

    Echo wrote: »
    Let they who have not posted about their balls in the wrong thread cast the first stone.
  • mcpmcp Registered User regular
    Log in to Gmail, and click on the account icon in the upper right hand corner.
    Click on account, click on security.
    Under account permissions, click on view all.
    Revoke anything that looks bananas.

    Not sure if that helps, but it's a place to start.

    walrus.png
    CambiataLostNinjaEchoZilla360
  • JRoseyJRosey SeattleRegistered User regular
    I have a nexus 5. I had already denied all permissions. The suspect account access has always happened exactly three days before I start getting "failed delivery" emails from myself. All other account access shows correct device and location. I did not know about the google app as two step - I'll replace my current text set up with that.

    XBL: Cathadal
  • EclecticGrooveEclecticGroove Registered User regular
    JRosey wrote: »
    I have a nexus 5. I had already denied all permissions. The suspect account access has always happened exactly three days before I start getting "failed delivery" emails from myself. All other account access shows correct device and location. I did not know about the google app as two step - I'll replace my current text set up with that.

    Since it's the same phone type as yours, it may be possible what's compromised is your phone, and not your PC or gmail specifically.

    AiouaZilla360Cambiata
  • DraygoDraygo Registered User regular
    edited September 2014
    Even more likely it is just a spoof email and there is really nothing you can do about it.

    Have one of your friends forward you the headers of one of the spam mails and see if the mail is truly originating from gmail. I suspect it is not. When you do email from a phone the logged in IP address tends to be from the phone companies datacenter, which can jump around as well.

    Draygo on
    Pacificstar
  • Blake TBlake T Registered User regular
    mcp wrote: »
    Log in to Gmail, and click on the account icon in the upper right hand corner.
    Click on account, click on security.
    Under account permissions, click on view all.
    Revoke anything that looks bananas.

    Not sure if that helps, but it's a place to start.

    This is one area.

    Also go to app passwords.

    These are one time generated passwords that you don't need to update if you change your password.

    It's a good feature but can obviously be used in a sneaky way.

  • FremFrem Registered User regular
    if there is an app/device with built in permissions that has an already granted access to it, then I don't think the password change itself will do anything as it's already authenticated in a different way.

    If you have two-factor auth enabled and you change your password, everything you logged into using two-factor auth gets logged out. I just changed my Gmail password a few weeks ago and had to log into all the Google apps on my iPhone again.

    This doesn't apply to the one time passwords that Blake T mentioned.

  • JRoseyJRosey SeattleRegistered User regular
    Okay school me on spoofing. If that's the case, there's nothing I can do to stop my boss receiving spam email that looks like it's from me? How are they getting my contacts list?

    XBL: Cathadal
  • ASimPersonASimPerson Cold... ... and hard.Registered User regular
    Changing the out-going address in an e-mail is trivially easy. I own a domain name and I get thousands of "spam" e-mails a day from people using fake addresses with my domain name.

    But if your contacts are getting e-mails from "you", then that's a bit more disconcerting.

    Is this still happening after following the advice in this thread (that is, turning on two-step authorization and removing all application passwords)?

    Google has a page with the details steps you can follow, though it rehashes a lot of the advice from this thread
    https://support.google.com/mail/checklist/2986618

    You can also tell Google the details of the e-mails purportedly from you (though they can't/won't respond to individual requests)
    https://support.google.com/mail/answer/50200?hl=en&ref_topic=3406179

    redoctober2.png
    SE++ Forum Battle Archive | PDT is not PST | DRUNKSTUCK: A Homestuck recap
    a5ehren
  • DaimarDaimar A Million Feet Tall of Awesome Registered User regular
    set up a new dummy hotmail/gmail account and add it to your contacts and never use it for anything. If you start getting spam emails to that account from yourself then you know you've got a malicious app or virus on your phone.

    steam_sig.png
    twitch.tv/kragaar
    a5ehrenJaysonFourAgentBryant
  • PapillonPapillon Registered User regular
    edited October 2014
    JRosey wrote: »
    Okay school me on spoofing. If that's the case, there's nothing I can do to stop my boss receiving spam email that looks like it's from me? How are they getting my contacts list?

    Think of email like a postcard. The "From" address is like the return address; the sender can put whatever they want there. In a practical sense, there's little you can do to stop this -- by examining the email headers (which are usually hidden in the advanced email options) you can sometimes tell if the From: address is forged, but not always.

    It's possible someone could get into your account once, copy your contact list, and then continue sending email that looks like it's from you after you've changed your account password.

    Papillon on
Sign In or Register to comment.