Tuesday, July 13, 2010

How to deal with your email being hijacked

Last night I received an email question from a financial advisor. Heather asked me if I planned to fill it out and email it back to which I responded no, public email like gmail isn't secure. Little did I know I would wake up and experience that first hand. This morning I started at the gym around 5 AM and got back home about 6:10 AM. I sat down an cracked open my laptop a little while later to see over a hundred unread messages bounced emails.


I quickly realized my email address was being hijacked. The first thing I needed to figure out was whether someone was spoofing my email address (think of it as someone putting the return address on an envelope to be your address rather than their address) or had they hijacked my gmail account. I looked and saw familiar addresses being bounced back to me, letting me know that someone had hijacked my account specifically.

Within 5 minutes after figuring this out I had locked them out of my account, 14 minutes since they began. They sent hundreds of emails in that time but I don't think they would have had the time to reset my banking passwords or other important information. What I realized was that I should write a simple guide to how to lock out the hijackers for my friends and family since this is happening with increasing regularity.

Here is what to do if you suspect your Gmail is being hijacked:


1. Immediately change your password. Go to http://google.com/accounts and change your password. This locks out most basic scripts (thanks to the lack of Cookie support) or anyone using POP/IMAP. Don't spend a lot of time thinking of a new password, use your old password with a number at the end or your address. You can make a stronger password later - right now you are just trying to stop the script.

2. Next, check and see if you need to log anyone out. To do that, go to bottom of your email and click on the details of the last account activity:


You will see a popup with a button at the top that says Sign out all other sessions. Click that immediately.


You can see the China address which was my hijacker. The emails stopped once I changed my password which means he probably was running a script of some sort but I clicked Sign out all other sessions to make sure.

3. Check your Gmail settings for changes. My hijacker set my vacation responder to respond to every email with some message.

4. Check your machine for spyware. They may have gotten your password through spyware. Also, check the URLs you log in to your email through to make sure they didn't do some URL hijacking which allowed them to capture your password.

Update 7/13/2010 11:30 AM: Google's help page on suspicious activity itself lists some spyware checkers.



5. Finally, change your password to something strong again. Log out, and log back in.

So, how can the hijackers get to your email? Here are a couple of ways:

1. Packet sniffing - we often send our google passwords over http (not https) which means that they are essentially in the clear for people to see as they pass over the internet. They may also try to grab your cookie and make it look like they are you through packet sniffing.

2. Bad web page exploits. This could be what they call cross site scripting (XSS) or any number of other attacks to steal your password.

3. Spyware. Spyware on your machine can capture keystrokes or packets.

4. Other sites that store your Gmail password get hacked and lose your data.

5. Gmail exploits (doubtful). If there was some exposure on Google's servers, they could use this to log in.

6. Password crackers (even more doubtful). Only really works in movies :-)




Update: 7/13/2010 11:30 AM
Four hours later, Google notified me that I had suspicious activity on my Gmail. I am glad they caught it even if it was 4 hours after I had caught it.

4 comments:

Bert said...

Great article, Erik. What do you think the odds are that Google will do something to address this problem?

Erik Burckart said...

Every solution brings about other problems which can lead to bad press. The best solution which is what I think they will do is to make it even easier to follow a process like I did. They did notify me 4 hours later of potential problems and had instructions on how to remedy the issues. I think they will further automate the solution, make it faster to notify someone of problems... but never fully stop the hijacking unfortunately. Its like credit card fraud detection...there is only so much you can do without limiting usage in undesirable ways.

Jeanne B said...

Thanks, Erik! Your Mom sent me a link to your blog and I found it very helpful. She knew that I had had the same thing happen yesterday morning only mine came from Nigeria instead of China. 'Wish I'd had your blog yesterday. It would have sped up the process of clearing up the mess!

Aditya Desai said...

Thanks from me too. Google reported suspicious activity from my wife's email account. I used your steps to find a suspicious logon from Ireland!! There seemed to be no other damage tho'. Hopefully things are back to normal now that we've changed her pw and logged off all other accounts.

- Aditya