Email account hacked, phishing messages sent, traces obliterated


A very unusual case of account hacking has been reported to G Data Security Labs: the victim's Gmail account was not only hacked and used for sending spam to the addresses stored in the account – which is bad enough in itself. Settings were also changed to cover up the deed!

Friends had contacted hacking victim Gunnar* early one morning via mobile, to check in person whether invitations they had received to view a Google Docs file were actually genuine. This was commendable behaviour on the part of the friends, as Gunnar still had no idea at this point that his account had been hacked. This is the chronology of events:

The hack

Attackers hacked Gunnar's Gmail account, even though, according to him, his password was secure and corresponded with the normal security standard of upper and lower case letters, numbers and special characters. They opened his account at 4 a.m.
Gunnar was abroad for a short time and had been using his account in Internet cafés during this period. It cannot be ruled out that his access data was stolen from an infected PC in one of these.

The spam wave

Shortly afterwards, the attackers sent every contact stored in Gunnar's account an email with an invitation to view a document.
The recipients should have already been suspicious at this point, as the message came in English from a German contact, contained errors and had no personal salutation or greeting.
Screenshot. One of the spam mails sent from the hacked account

The phishing website

The website that the recipients were being directed to looked like a Google Docs login page, but it is being used for phishing data. The attackers are hoping to get hold of non-Gmail data on this page as well.
The design of the website does not match the original Google page. The background image has been taken from a free, private website for Adobe Photoshop designs. The graphic with the Google logo has also been taken from the Internet and distorted, as it were, as the proportions are no longer correct – the image has been compressed horizontally.  
Screenshot: The Google Docs phishing website

The filters

The attackers also set filter functions in Gunnar's account. As soon as anyone responded to the spam email sent from Gunnar's account, the email was immediately deleted and did not appear in the inbox. The keywords used for the filter were "mail" and "document".
In this way the attackers tried to ensure that nobody could quickly inform and warn Gunnar via email.

Screenshot: The activity log of the hacked accountBut there was fortune for Gunnar in his misfortune: the attackers had not changed his password after logging in, so he still had access to his account. Obviously he changed his password as soon as he had logged in, to shut out the attackers.
Google offers its customers a website on which the most recent activity in a user account is logged. So Gunnar was able to see from the IP address of the night-time visit that the external login to his account was made from the Ruhr district.

Research shows that not only Gmail accounts have been compromised by this surge. Customers of other freemail providers have also been complaining that emails of this sort with offers concerning publications in Google Docs have been landing in their electronic inboxes over the last few weeks. The subject lines and text in the emails vary slightly from the example shown above, but the gist is always the same. Here are a few examples of other subject lines:

  • Please review important document
  • Review uploaded document
  • Important message
  • Important Document
  • Kindly review this !!!


G Data luring attackers

Screenshot: The fake error message after 'logging in' on the phishing siteExperts at G Data Security Labs are trying to find out more about the attackers and have logged in to the phishing site using an existing account as a decoy. The attackers should have received this data. We are eager to see if we will hear from them.
Incidentally, visitors to the phishing site cannot view the document referenced in the email at all – not that we had really expected to be able to. A supposed error message appears instead, saying that the server is busy and that the request cannot be processed right now:

Tips and tricks:

  • An up-to-date comprehensive security solution with a malware scanner, firewall, web and real-time protection is an absolute must. A spam filter that protects you from unwanted spam emails also makes sense.
  • Use strong passwords and change them regularly if possible.
  • Never use one and the same password for different services!
  • Enable the account restore options if they are available. This can help you ensure that you can still access your account in the event of an incident.
  • Where possible, enable multi-factor authentication for logging in.
  • Check the login activity for your email account every now and then. If you notice any irregularities, change your password straight away to be on the safe side.
  • Check the settings for your email account every now and then. Is any unwanted email forwarding set up? Are unknown devices allowed to log in?
  • If you find out that one of your contacts is sending unusual emails or instant messages, contact them – ideally using a different communication channel than the one via which the suspicious message came.

* We have changed the name for privacy reasons.