How was Gmail hacked?
September 12, 2011 6:32 AM   Subscribe

How is my child's Gmail account being used to send spam to his contacts? There has, according to Gmail's Activity Information, been no access from any IP address not known to me.

We discovered this morning that my child's email has been sending spam of the "Hi Dad how are you? Are you interested in making any money? Read this online article! I thank God that I found this opportunity!…" variety for the last two days.

The emails show up in his "sent mail" folder, so we know (don't we?) that they were actually send from his account, rather than using a spoofed sender address.

We changed his password, and I looked at "Activity on this account" to see where the spam was coming from. Nobody has connected to the account in that time period other than through our home IP.

He uses an Android phone, and we use Macs and Firefox at the house.

I will inspect the Android when my child gets home from work to see if apps have given themselves suspect permissions.

I appreciate any insights.

posted by MarkWBennett to Computers & Internet (19 answers total) 2 users marked this as a favorite
Did you scan the computer for viruses?
posted by demiurge at 7:21 AM on September 12, 2011

Check the home PCs for an infection as well.
posted by kjs3 at 7:21 AM on September 12, 2011

Sounds like a joe job to me. This would mean that the spammer never actually touched your child's Gmail account, but just set their own sender data to make it look like they came from him.
posted by baf at 7:23 AM on September 12, 2011

If the messages show up in sent mail, it's not a joe-job. I'd check for infections on your home PCs and the phone, definitely. "The e-mail is coming from inside the house!"
posted by jferg at 7:31 AM on September 12, 2011 [3 favorites]

Best answer: In addition to all of the above, it could also be POP or IMAP --- using an external client instead of logging on to the Gmail web interface. I doubt the activity log would show that.
posted by qxntpqbbbqxl at 7:35 AM on September 12, 2011 [1 favorite]

Also, how secure is your home network? Do you have wi-fi at home, and is it locked down? If someone had latched on to your home network, they could have scavenged username/password info, and the traffic would show up as being from the same IP.
posted by jferg at 7:38 AM on September 12, 2011

So it was sent AFTER you changed up the password? If so, that's a bad sign. Something (either the phone or computer) is infected in a bad way. If you run a virus/malware scan and nothing comes up AND the problem continues, you should really wipe both the computer and the phone and start over.

I'll second the "it's not a joe-job" as well, if it's in the sent items, probably not. I'll also second the two factor auth, but really, I'd say wipe everything and start over.
posted by Blake at 7:38 AM on September 12, 2011

Oh, also, to answer your question "How was Gmail hacked?" They got his user/password somehow, probably no way to know for sure, but either they took it, they guessed it, he gave it to them, they bruteforced it, or they just have a backdoor on one of your machines. They may have taken it from somewhere else in some big data breach. If he used his email as a login at some web site, AND only has one password he uses everywhere, he gave away his email login. He may have fallen for a phising email that installed some kind of backdoor on the computer/phone and they are now in control and are doing whatever they way.
posted by Blake at 7:43 AM on September 12, 2011

>>There's really no need to wipe everything and start over....

Yes, BUT, that doesn't answer the question on HOW they got in to begin with. If there's a backdoor someplace you're in trouble still. I know I'm assuming the worst here, but if he's changed the password and it kept going, that's a bad sign, and a sign of bigger trouble.

Everything odinsdream said is true, I'd just worry about more trouble down the road.
posted by Blake at 8:05 AM on September 12, 2011

Malwarebytes on the computer.
posted by dhartung at 8:11 AM on September 12, 2011

it could also be POP or IMAP ... I doubt the activity log would show that.

It certainly does.

As for how this is being done: I'm thinking infected Windows machine in a nearby house whose teenage child has been locked out of their own wifi and is therefore leeching yours.
posted by flabdablet at 8:11 AM on September 12, 2011 [2 favorites]

notice when they go out in relation to when someone is on a comp.

Also, you have a virus. get something like Kaspersky running on there and you'll be good to go, otherwise just use AVG Free
posted by zombieApoc at 9:54 AM on September 12, 2011

No, please don't use AVGFree.
posted by LuckySeven~ at 10:45 AM on September 12, 2011

If the virus is sophisticated enough, two-factor authentication will do nothing to prevent this from happening
posted by schmod at 10:45 AM on September 12, 2011

That link ("No, please don't use AVGFree.") is for the MS Windows Phone OS, not regular ol' desktop AVG.
posted by Blake at 12:36 PM on September 12, 2011

Seconding qxntpqbbbqxl and flabablet regarding "in sent folder but no unknown IP access"

Regarding userid/password - my guess would be that password was easy to guess and/or deployed across other applications (that is, what Blake said)
posted by southof40 at 2:49 PM on September 12, 2011

Response by poster: Thanks for all the answers. I assumed (!) that the GMail activity log would show POP/IMAP access as well, but it does not. The IP addresses in the spam email headers told a different tale.

Computer and phone are virus-free.

So child gave up his password somewhere that he's embarrassed to tell me about (we've all been there, right?) and someone used it to send out spam.

Two-factor authentication is added, so the problem should not recur.
posted by MarkWBennett at 2:17 PM on September 18, 2011

I know for a fact that the Gmail activity log does show both POP and IMAP access - I've seen it do so for my own Gmail account. Perhaps it fails to show SMTP access?
posted by flabdablet at 7:17 PM on September 18, 2011


Started up Thunderbird with a deliberately broken Gmail IMAP password - only Browser activity shows up in activity log.

Used Thunderbird to send a test message using Gmail SMTP - still only Browser activity in log.

Corrected Thunderbird IMAP password and reconnected - now both Browser and IMAP activity are showing up in the log.

So it looks like the Gmail activity log in fact does not record SMTP activity, which is a pity. Still, you can always track it down using the mail headers, as you have done.
posted by flabdablet at 7:25 PM on September 18, 2011

« Older Can I repost an AP picture on my blog?   |   How much to tip for men's haircut? Newer »
This thread is closed to new comments.