I’ve written in the past that my Hotmail account has been hacked twice. I think it was either due to an insecure wireless network or because of a WordPress vulnerability. In either case, I was able to track the spammer (or at least the accessing IP) to a guy in Thailand.
Today, my girlfriend asked me a question – why do I have so much spam in my inbox? My initial thoughts was that it was due to the Epsilon breach – she subscribed to some mailing lists managed by them and the spammer started spewing out piles of spam and hers was among the targets. Yet, I didn’t really think this was the case as she doesn’t subscribe to very many services.
I went and took a look at her computer and Gmail account, and in five seconds I was able to diagnose what had happened – she had been hacked. Most of the messages in her inbox were bounce messages with spammy subject lines, and clicking on the message showed that spam was attached and then sent back to her. I recognized this as the same case of when a spammer hacked my account, sent spam and then some of it bounced back to me. That’s one thing backscatter is good for, determining when you have your account compromised (and assuming that your antispam service has a good backscatter mitigation technique in place to differentiate between the fake bounces and the real ones).
One thing about Gmail that irks me is that when you look at the raw message headers, it doesn’t tell you what the web IP of the client logging into the account is if you log into Gmail directly. Hotmail puts the client’s web IP into the X-Originating-IP header, and Yahoo Mail puts it into a Received header. If you access Gmail by POP (i.e., without logging in), they will add your connecting IP, but not if you login directly. Thus, when I checked my mail account and saw spam from my girlfriend (I’m in her address list), I could look at the raw source but all I saw was a bunch of IPs in the 10.0.0.0/8 range. Yeah, that’s useful. It tells me that someone probably logged into her account and sent spam, but I’m not sure of all the scenarios where Gmail doesn’t expose this IP. One thing I do know is that this is one of them.
But, Gmail makes up for this deficiency with a handy little feature where they tell you when the last 10 times you logged into your account was, and from what IP address. I navigated to that documentation in Gmail and saw three different IP addresses. Checking DNS Stuff, I saw that my g/f logged in from work, from home and another time from Illinois.
Seeing as how we are in Seattle and this login was from Illinois, I surmised pretty quickly that the spammer was located there, or at the very least, a spammer using a hacked machine in Illinois used it to login to Gmail. I then saw that the time stamp of the login attempt was the same as the time stamp when I received the message. My g/f deleted all of the spam messages in her Inbox and Sent folders, but I recalled (using my super memory) that the messages were all sent at about the same time as the login which suggests some sort of automated script to send the spam messages. The spammer had only accessed the account for less than an hour before we noticed.
I advised her to change her password and she did so. I suggested that if she uses that username and password combination elsewhere on the web, to change those, too. Borrowing a page from my playbook she expressed some rage for this spammer who would dare to do such a thing. Seriously, what a jerk.
I did a quick malware scan on her computer and it came up negative. I don’t know where she could have been compromised; it’s possible that the workstation at her work has some malware on it. It doesn’t matter, though. She’s now more cyber aware than she otherwise would have been without this incident.
This is why I’m still in the business. It’s my goal in life to put myself out of a job by ensuring that spammers cannot make money doing what they are doing.