

Ask HN: How to find an attacker? Gmail hacked; prior work spearfishing attemps - tmphckdacct

Hi all -- I'm a longtime HN reader/user writing this from a new anonymous account to describe an incident this AM and ask for any tips / tricks. Many thanks in advance for the help.<p>This morning I woke to find my mobile not connecting to my Gmail account. After trying to log-on on my computer, it became clear that my password had been unknowingly changed late last night (~2am) due to activity logged in from a foreign IP address.<p>I've changed my password and performed a range of other items from the Google security checklist, but am wondering specifically: What can I do using the provided IP to try and determine the origin of the attack?<p>While it's likely nothing, I am concerned as I have been the target of a number of sophisticated spearfishing attacks against my work e-mail.<p>One additional detail: I did log in a few hours beforehand on my computer over an unsecured Wifi network. However, I do have "Always use HTTPS" on in Gmail.&#60;p&#62;Again, greatly appreciate any advice. Thanks.
======
brokentone
Tracking down an attacker may not be possible or worth your time. You can do
the basic geolocation and rwhois stuff on the IP, but more than likely it's
not the origin. The attacker probably is bouncing through TOR or another proxy
solution.

Also, I believe to change a password on Google you have to reauth with your
current password, which never would have been transmitted in cleartext. Unless
you had a MITM attack with one of those compromised certs in the wild, but
you've removed your diginotar certs, right? It's more likely that your
password was guessed or taken from somewhere else. I would change any other
accounts which might share that password.

Steps for now: turn on 2 method authentication!! Check your outbox and deleted
folders for any shenanigans, although if the attacker knew what they were
doing they would have deleted any trace of anything they would have done.

~~~
tmphckdacct
Thanks -- have added 2 factor authentication and swapped passwords.
Fortunately I used a unique password for my e-mail.

I _hadn't_ removed the Diginotar certs (ack). Any thoughts on the availability
of those certs beyond the original attackers?

Thanks again.

~~~
tmphckdacct
To clarify: for some reason these certs were not in my system keychain
manager, but were within Firefox's trusted SSL certs.

------
JoachimSchipper
Chasing down the attacker is not easy.

Note that pretty much every service will let anyone who controls your e-mail
address in (via password reset, if they didn't send your password in plain
text in the first place.) You have a lot more work to do.

