

Gmail hack – how was it done? - pierrel2

My daughter&#x27;s Gmail was apparently hacked (spam was sent to all her contacts) - how was it done?  Here are some relevant facts: 
1) she had 2-factor authentication (using SMS) in place for months before the incident.
2) the access log on Gmail shows only accesses from her home computer and her phone.
3) home computer is a Mac with Apple Mail - no viruses found on the machine
4) iPhone Mail is also connected to her Gmail.<p>What&#x27;s the most likely attack vector?
======
2510c39011c5
I think we need more detailed information to identify the cause of the
spamming...There could be several strategies to spam her contacts with her
account, even with the facts that you listed (assuming fact No. 3 really is
what it appears to be, as virus detection itself is an open problem -- and in
theory this problem is indeterministic).

2-factor authentication (with SMS) in place should be able to rule out the
possibility to have her account accessed somewhere else, other than the
computer and smart phone she uses. But there is also the possibility that
someone else obtained all the contacts in your daughter's gmail, and then spam
with a fake originating mail server. The critical path for this attacking
strategy does not involve 2-factor authentication and your machines.

Another scenario could be her iphone has been compromised and hence have all
the information stored on it exposed to the attacker, including the SMS (and
once the attacker obtained control of the iphone, he/she could delete the text
message and erase the trail after the attack). You need to check the SMS
record with the telecommunication SP to see if there was any text message
containing the 2-factor password sent from google to your daughter's number.

But in the case either your daughter's mac or iphone has virus in it, and you
failed to find it out (which could happen to anyone), this could be another
possible cause.

At this time, perhaps we could also do several other things to mitigate the
impact of this attack...

1) all the contacts she cares should be alerted about this account compromise
(there have been cases in the past where compromised account has been used to
swindle money).

2) change the gmail password.

3) check the vacation responder (e.g. auto-response) of the gmail account
(gmail settings -> General -> Vacation responder) see if it has been cleared.

4) set different mail signature for all the different mail clients she uses
(this could be done through each mail client's own configuration), and also
the signature for the gmail account (gmail settings -> General -> signature),
in the sense of marking the different critical paths of sending mail. So next
time we could find out where (in terms of the apps and client) the spam is
sent from, in case it happens again.

------
enhdless
It could've been email spoofing[1], where the attacker sends an email with a
worm and makes it look like it was sent from a friend. Once the email is
opened by the recipient, the worm sends a similar email to the recipient's
contacts, which continues to spread the spam.

[1]
[http://en.wikipedia.org/wiki/E-mail_spoofing](http://en.wikipedia.org/wiki/E-mail_spoofing)

------
davidcollantes
It could have been that spam was sent to all her contacts, from _her contacts_
machines. Another possible explanation; has she granted access to her Google
account to sites? --you know, login with your Google Account. Some permissions
are "access your contacts."

~~~
davidcollantes
See
[https://support.google.com/accounts/answer/3466521?hl=en](https://support.google.com/accounts/answer/3466521?hl=en)

------
gesman
She signed-up to some pseudo social crappy network where in the process she
was asked if she wants to notify her contacts about her new status or so, and
was presented with gmail logo and login screen.

Or she gave some App the rights to access her gmail contacts.

------
Misiek
She probably registered to a forum or the other portal and she used her email
with the same gmail password. And then the data (list of emails and passwords)
form a forum/portal leaked. Ask her if she use the one password to all
accounts.

~~~
duiker101
and that's why she has 2 factor auth.

