Saturday, March 19, 2011

Gmail account hijacking

I've just spent the morning helping a friend recover from having her Gmail account hijacked. I still haven't discovered a root cause, but the initial symptom was when I received this email from her:

My apologies for any troubles this might cause you. This is quite strange and funny.Actually I came down here to England in the UK for a brief Trip and unfortunately I was mugged at the park on my way to the hotel where I lodged, with all my cash, credit card and cell phone stolen from me but luckily for me I still have my passports.

I've been to the embassy and the Police here haven't been quite helpful enough. My flight leaves shortly from now but I'm having problems paying the hotel bills and the hotel manager here won't let me leave until I pay up the bills. I was hoping if you could loan me some quick cash that I can pay back as soon as I get back.I really need your help from here on out.



Since I knew my friend wasn't in England, there was clearly a problem. Looking at the mail headers, I noticed that the  reply-to address was friendsID@ymail.com. Clearly a phishing attempt. 


Shortly thereafter I was contacted by said friend for help regaining access to her gmail account.


This turned out to be a bit tricky. The first think I needed was an email account to be used for recovery purposes. Setting one up at gmail is possible, but non-obvious, since the normal account creation links at gmail all require an existing email address. Eventually I discovered this link to create a gmail account without an existing email account.


Once this was set up, we could then work through the gmail procedure for regaining access to your account if you think its been compromised. 


A crucial piece of this involved email forwarding - something it would not have occurred to me to check if it hadn't been on Google's list of issues. Gmail allows you to forward mail to other addresses; my friend's account had been configured to forward mail to a yahoo account and had POP access enabled. As soon as she regained access to the account we immediately disabled both.


The account was also configured with a reply-to address of friendsID@ymail.com. Pretty sneaky.


Unfortunately, it appears that her inbox is GONE; I don't know if gmail has any sort of recovery option. Luckily her contacts survived, but this highlights the value of periodically exporting your contact information out of gmail.


Update: I notified Yahoo (via their abuse reporting page) that an account is being used to conduct fraud. I got back a canned response, and it was obvious that my detailed description hadn't been read. Thanks, Yahoo.