compromised GMail account
 

My daughter was poking around her gmail settings and noticed that forwarding was enabled. Her address uses a combination of her initial and name, and the forwarding was to the same with the number 2 after the name. She never set that up, and that isn't her account.

She immediately disabled it and changed her PW, but we have no idea how long that has been enabled, or whether that other address is a valid non-bouncing address.

Is there any way to contact GMail tech/security support? We spent 10 minutes digging through their site, finally found a contact form for lost passwords. We want to find out:
A. is that a valid account which has rec'd copies of all her e-mails?
B. how long has this been going on?

Sorry to hear.. Not sure if Google provides any telephone support.

If your daughter is using a mail client like Outlook on Windows or Mail on the Mac, is she using SSL (secure sockets layer) for her connection? She might also consider using IMAP instead of POP.
http://mail.google.com/support/bin/t...en&topic=12806

No, she's on a PC and using webmail, not pop.

There were a couple occasions at work when people maybe could have accessed it, but none of the possibilities make sense. We tried thinking through all the possibilities.

The address it was being forwarded to is a valid address. It could have gotten set up accidentally at one point (when someone else was working with her on a different work related gmail account, and could have been logged on to her personal one by accident) but that's still a stretch.

Change your daughter's gmail settings so the browser connection is always using https by default.

It's on the bottom of the first settings page on the web interface.

-David

I doubt you will get much help from the Gmail admin staff. From an outsider's perspective, you could be anyone, claiming that your mail was forwarded without your knowledge, requesting information about an account that isn't yours, which would be violating that other account's privacy.

Without knowing anything else and just a guess, it's probably someone who she knows, who had a few seconds to access her computer while it was left on, or when she didn't sign out completely when using a different computer. Ever leave her laptop unattended, where someone could have done this? Probably, if she's like most people. Also, check at the bottom of her Gmail home page -- make sure that "Last account activity" shows only sessions you/she remember. That will tell you (somewhat) if the account is continuing to be compromised. (although you say the password has been changed, which should prevent this)

I doubt it was random -- but that might be the best hope, that it was someone completely random who the information would mean little to. Otherwise, it's someone she knows who wants to know what her life is about.

Unfortunately, I doubt there is much you can do, and it is a serious invasion of privacy. But certainly give the admin/security angle a try to see if they have any procedures for this.

Wirelessly posted (BlackBerry8830/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105)

Why?

SSL doesn't really change anything with respect to the problem at hand, unless you think that the account was compromised because someone sniffed the PW from a session at one point, and that is a longshot.

Yes, using SSL is theoretically better, but it doesn't really address the situation at hand, I don't think.

To the OP, I doubt you will ever find anyone at google to actually answer that question for you. Sorry.

I don't know if it's still the default, but it used to be the default was to use http only, unless you specifically typed in https or used a bookmark with https. If you change the default, passwords, etc, won't ever be sent in the clear. The OP said his daughter already changed her password, but if they didn't change that setting also she is leaving herself exposed to needless risk. It's a simple setting and the right thing to do, lest you dissuade somebody from doing that with your post. (Is there any reason in the world not to do it?)

But you are correct and I didn't mean to imply in any way that that would help OPs daughter figure out who hijacked her email account.

-David

It is a good change and we did that this morning, thanks.

I can think of two situations where someone could have accessed her computer and done it. One would actually have been inadvertent (he thought it was logged into their work mailbox and wanted to set that to copy to her personal mail and didn't really know what he was doing) but the other would have been an eavesdropper.

So, in the first case it is accidentally forwarding to a third party, in the later she was being spied on.

Check for key loggers on her PC. Any suspects like ex-boyfriends?

no, only logical suspect is one former coworker... a stretch, but possible. I discussed that with her.

a friend of mine had a similar program, and after some research it turned out that he caught a Trojan (from a co-worker), which was embedded in a pdf my friend was sent.

There are trojans that, once opened and activated, can start key-logging and transmitting that information to the originator of the Trojan.

But with that they'd get the PW to the gmail acct., and could access it whenever they wanted. Instead, someone went into the account settings, enabled forwarding, and entered an email address which was her address ([email protected]) with the number "2" added after the last name. That address ([email protected]) is a valid functioning address.

So, copies of all inbound mail were forwarded to that address.

Doesn't seem like a trojan type result. We see two scenarios:
1. a former coworker (she left that job in the past week or two) who wanted to spy.
2. (and she can confirm this one this week)... she was working with her (then future) now current boss, there is a gmail address which is a work address which she needs full access to, the boss (who doesn't really know what he's doing on 'puters) might have thought they were logged into the work account and wanted to make sure she got copies of everything. Since they were logged into her account, gmail wouldn't accept [email protected] in the forwarding field so he put the alternate [email protected]. Far fetched, but possible.

In the former case, the ex coworker could have then set up the target address. In the later case, it goes to someone somewhere in the world.

I don't think GMail can be of much help in this case. =(

At least you can check if the email address is valid by simply sending an email from any account and see if it bounces. If it does not bounce, it's valid.

GMail marks forwarded emails... it might be possible that all auto.fwd emails are marked as such, so you could track the first one.

Just sharing what I would do... hope it helps.

I had a similar problem about a month ago.

I noticed that between Thursday evening and Friday morning I had not received any e-mails, and when Mrs 21H said she'd sent me something that failed to turn up I started to check the settings. My account had been changed to forward all mail to a yahoo.co.uk address, and the delete it.

Immediately changed my password and then started changing all my other passwords, starting with banking and credit cards. Nothing had been affected apart from my paypal account (same logon/password, yep I know...) which had been used to buy a macbook in Indonesia. I filed claims with Paypal and MBNA and both reversed the transaction.

The scary thing is that if the settings had not been changed to delete the mail, I probably would not have noticed until I saw the charge on my credit card.

The most common occasion for this happening is on shared terminals. Has she used an internet cafe/hotel lobby/airport lounge PC since she's had the account? I'd venture to guess yes, at some point, right? Keyloggers there can lie dormant until the thief decides to parse out her password.

Speaking as an ex-employee, you'll never find a human at Google for this sort of problem. Your daughter has already fixed it by deleting the filter, so there's nothing Google can do at this point that wouldn't involved mining server logs, etc. That's not going to happen without a subpoena and proof of a crime (at the least).

If it had _just_ happened, she could learn more from the "last logged in" details at the bottom of the Gmail page, but that's likely much more recent than the original filter creation.

FYI, for those of you that need to use a shared terminal, use HTTPS (as above, which limits what network sniffers can get at) and also use this method for logging in:

for (each pwd character){
Give focus to anywhere but the pwd field;
Type some random characters;
Give focus to the pwd field;
Type the next character of the pwd}
Submit;

As a bonus, type the password out of order by using the mouse to position your cursor in different places. So for "password" type "ord", click to the left, type the "ssw", click to the end, type nonsense, click to the left, type "pas", go to the end, delete the nonsense, then hit submit.

(See this paper for more details on the method and how it defeats most keyloggers: http://cups.cs.cmu.edu/soups/2006/po...r_abstract.pdf )