It usually starts the same way each time, you get an email from one of your contacts, "Hey, I got this weird email from you?"
You immediately know you didn't send them anything weird or otherwise. You check your sent items for clues. Sometimes clues are right there, sometimes the bad guys have covered their tracks. What do you do now?
Technically speaking you probably weren't hacked but rather phished. In a phishing attack you become the unwitting accomplice, actually handing over both your username and password. The images below show the attack email and phishing site that's been making the rounds the past few weeks.
I've shown this site to several people and many of them say if the site was from a trusted person, they'd probably hand their credentials over by attempting to "sign-in".
This site is simply a form that might as well say, "give me your username and password so I can phish your account". If there is ever any doubt, never provide credentials.
This site offers many clues that can help us determine it's part of a phishing attack. (Click the image to enlarge).
Below is another example we recently came across. This second example doesn't provide as many clues. Like the first case, it came from a trusted source which lowers our guard.
You've confirmed or strongly suspect someone besides yourself is leveraging your Gmail account to send email. What next?
Change your Gmail password
You can do so here: https://accounts.google.com/b/0/EditPasswd or from your Gmail Settings:
- Open Gmail.
- Click the gear in the top right.
- Select Settings.
- Click the Accounts tab at the top.
- Click Change password in the “Change account settings” section.
- Type your current password and your new password. We highly recommend you create a unique password - one that you don't use for any other websites. See more password tips below.
- Click Change password.
There are also several other ways to access your Account's Security settings.
Review your Security Settings
You can find them here: https://www.google.com/settings/security
Review, confirm and update your 'Recovery & alerts' information as needed. This is a great opportunity to review these settings in detail to make sure everything is up to date.
Check your Gmail Filters
The more sophisticated attacks will often configure Gmail Filters to hide evidence of the intrusion, continue to leverage your account for nefarious activities or attempt to regain access. If a Filter does not look familiar, Delete it.
To edit or delete existing filters
- Open Gmail.
- Click the gear in the top right.
- Select Settings.
- Click the Filters tab.
- Find the filter you'd like to change and click edit or delete to remove the filter.
- If you're editing the filter, enter the updated criteria for the filter in the appropriate fields, and click Continue.
- Update any actions and click the Update filter button.
Check your Gmail Contacts
It's becoming more common for the attacker to delete the victim's Contacts. We assume this is to keep the victim from warning other potential victims before the phishing emails have a chance of snaring more victims. If your Contacts have been Deleted, leverage Gmail's 'Restore contacts...' feature under the 'More' menu.
Review additional information
If you've followed the steps above your account should be back within your control. Google does provide additional tools that can be leveraged to review additional information.
From the Gmail footer, you can find 'Last account activity' Details in the bottom right or by visiting 'Recent activity' here: security.google.com (When accessed from Gmail, this feature also allows you to "Sign out all other sessions", very handy if you forget to sign out somewhere.)
Last account activity will show us the recent login activity for our account - if you see Germany, China, Russia, etc. but happen to be in the United States you know your account was indeed compromised. It is common to see your mobile device log activity from other areas but they should be within the United States and relatively close to your general location.
Leverage two-factor authentication
Enable 2-Step Verification, commonly called Two-Factor Authentication. You can start the process here.
As Google explains:
2-Step Verification drastically reduces the chances of having the personal information in your Google Account stolen by someone else. Why? Because bad guys would have to not only get your password and your username, they'd have to get a hold of your phone.
Two-factor authentication would have foiled the phishing attack detailed in this post. Once your computer is authenticated you won't have to use two-factor authentication every time but anytime a new computer tries to access your account, two-factor authentication will be required. This strikes a good balance between convenience and security. Today many modern services offer two-factor authentication, you can learn more about other services offering this feature here.
Never trust an unknown or unexpected login page
If you're going about your business on the web and are unexpectedly asked to provide credentials, stop. Never login to a page you don't recognize or don't expect. Always review the URL of the site requesting credentials. If anything looks 'phishy' close the window and attempt to access the service as you normally would from a trusted URL like Gmail.com or Drive.Google.com
Take advantage of Google's Password Alert Chrome extension
If you enter your Google Account password or Google for Work password into anywhere other than Google's sign-in page, you’ll receive an alert, so you can quickly change your password if needed.
Password Alert also checks each page you visit to see if it's impersonating Google's sign-in page, and alerts you if so.
Leverage a good password
Keep your password secure. Don't share your password with others. In Gmail leverage Delegate Access rather than shared passwords. Don't have a single password for the whole office. If you ever think your password may have been exposed, be proactive and change it.
Never use your primary email address and password as a username/password combination for other sites.
Many services will allow (or require) an email address as a username, while convenient this can also be problematic if you use the same password for that site as the associated username for your email account. For example, Forbes was recently attacked by hackers who gained access to everyone's username.
If your email address here is your primary email address and you used the same password for that email account and Forbes, you're at a greater risk of having your account compromised. While Forbes states that passwords were encrypted we can't know the strength of the encryption or if it was fully implemented. Bottom line, we don't want our primary account password in more places than it has to be. Increased points of exposure and passwords don't mix.