What To Do If Your Gmail Account Has Been Hacked

Thursday, July 21, 2011

Robert Siciliano

37d5f81e2277051bc17116221040d51c

I finally got one of those “I’m stuck in London” emails. My friend Kate’s Gmail account was hacked, and everyone on her contact list received an email from a hacker posing as Kate:

“Hi, Apologies, but I made a quick trip, to London, United Kingdom and got mugged, my bag, stolen from me with my passport and credit cards in it."

"The embassy is willing to help by authorizing me to fly without on a temporary identification, instead of a passport, I just have to pay for a ticket and settle Hotel bills. Unfortunately,I can’t have access to funds without my credit card, I’ve made contact with my bank but they need more time to come up with a new one."

"I was thinking of asking you to lend me some quick funds that Ican give back as soon as I get in. I really need to be on the next available flight back home. Get back to me so I can send you details on how to get money to me. You canreach me via email  or hotel’s desk phone, +44208359**** waiting for your response. Kate”

The hacker also created a replica of her Gmail address using Yahoo’s webmail service, and set Kate’s Gmail account to automatically forward all messages to the Yahoo address.

As soon as I received this email, I called Kate and left her a message letting her know she’d been hacked, and asked her to contact me with an alternative email address.

Then I responded to the hacker:

“Kate I will help you. Where do I send money? Robert”

The hacker wrote back:

“Robert, Thanks for responding, I need about $2000, can you make a Western Union transfer to me? I will pay back once am home, let me know what you can do ASAP thanks."

"See details needed for western union- Receiver: Kate [redacted] - City: London United Kingdom"

"What you need to do, is take cash or a debit card to a western union agent location and request to make transfer to me in United Kingdom. You can get the address of a nearby WU agent from this website."

"You will email me the mtcn number for the transfer so I can receive the money here, I have an embassy issued identification, which I will use to get the money from WU Thanks Kate”

I wrote:

“Send me a picture. I want to see your pretty face! What did you see in your travels? Did you talk to Mum this week?”

The hacker responded:

“Did you send the money yet?”

I wrote:

“You didn't answer me.”

At this point, the hacker figured out what I was doing, and blew me off:

“Don’t bother, I no longer need your help.”

It’s hard to scambait these guys because they’re much more aware of how scambaiting works. Plus, I’m not that good at it.

The hacker and I then got into an unproductive series of email exchanges calling each other nasty words.

When the real Kate called me back, I sent her this Google Help link explaining how to reset your password if you’ve been hacked. Google also offers help accessing a Gmail or Google Apps account that has been taken over by a hacker.

If you haven’t already created a secondary email address that can be used to recover an inaccessible Gmail account, do that now. (This feature isn’t currently available for Google Apps.)

Once Kate went through this process, she regained control of her account within minutes. But the criminal had deleted every single email, leaving her with nothing. He’s probably going through those messages now, searching for any useful personal information.

Kate then sent me an email, thanking me, and I noticed that the Yahoo email address was still being copied, meaning that the hacker was still seeing every email sent to Kate’s Gmail account. If you’ve been hacked, check your Gmail settings to make sure your messages aren’t being forwarded automatically.

With more than 11 million victims just last year identity theft is a serious concern. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

Possibly Related Articles:
65395
Privacy
Information Security
Email scams Gmail Social Engineering Web Application Security hackers
Post Rating I Like this!
Default-avatar
captain havoc Congratulations Robert. You are not dumb. Unfortunately it seems your friend is though if her highly secure Gmail is getting hacked. Did you do the right thing and inform her of what can happen without a real password. Identities get jacked, and so does other peoples money. Se should learn how to properly use the internet before trolling around creating charity email accounts. You wouldn't drive before knowing properly how to correct? The internet is just as dangerous, it can ruin lives. So please people learn how to use correctly. The internet is not a toy. It is a the largest community in the world, respect it and create a nice long password that nobody will ever figure out. Malicious Hackers are not smart... Don't be dumber than them.

This has been a public service announcement from your local hactivist.
Think... Or don't... Your choice.
1311321328
Bdd5942b986a243fd2d84461611aec6a
Anup Shetty Nice share as always...I got a similar email from one of my friend's jacked account
--------------------
I'm sorry for this odd request because it might get to you too urgent
but it's due to the situation of things right now.
I'm stuck in Madrid Spain with my family right now, we came down here
for a short vacation then i was robbed, worse of it is that bags, cash
and cards and my cell phone were stolen at GUN POINT, it's such a
crazy experience for us.I was hit on the head but i am getting
better.We need help flying back home, the authorities are not being
100% supportive but the good thing is we still have our passports and
return tickets but currently having troubles paying off the hotel
bills and also getting a cab to take us to the airport.
Please i need you to loan me some money, will refund you as soon as
i'm back home, i promise.
Kindly get back to me as soon as you can so that i will let you know
how to get the money here.
Wait to hear from you soon.
--------------------
Though suspicious, there was no scambaiting attempt in this case, but the user got his password reset using the secondary account linked to it.

Google now shows the following warning on such emails nowadays

Warning: The content of this message is suspicious. The sender's account may be compromised. Beware of following links or of providing the sender with any personal information.

Does anyone share some insight on what really happens to the emails that we mark as phishing in Gmail? Use it for one of those blacklist creations? Does Google really pay heed?
1311333414
14a99a86a54b134f8052222127b442c9
Jackie Singh Enable two-factor authentication and this won't ever be a problem...

Unless, of course, you're kidnapped and forced to provide both your cell phone and password. You know, one of those improbable situations that would never happen unless you were storing data in your Gmail that is unsuitable for a free provider.
1311348904
37d5f81e2277051bc17116221040d51c
Robert Siciliano Having a tag like "captain havoc" and getting reassurance such as "Congratulations Robert. You are not dumb." This is like one of the best Fridays EVERS!
1311349480
Default-avatar
captain havoc You are welcome ;) I was a little tipsy and on a terrible tangent that day. Though everything I said was completely true, it was more or less uncalled for and i apologize. My bad.
1311651337
37d5f81e2277051bc17116221040d51c
Robert Siciliano "I was a little tipsy" ME TOO!!! :)
1311679612
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.