A very unusual case of account hacking has been reported to G Data Security Labs: the victim's Gmail account was not only hacked and used for sending spam to the addresses stored in the account – which is bad enough in itself. Settings were also changed to cover up the deed!
Friends had contacted hacking victim Gunnar* early one morning via mobile, to check in person whether invitations they had received to view a Google Docs file were actually genuine. This was commendable behaviour on the part of the friends, as Gunnar still had no idea at this point that his account had been hacked. This is the chronology of events:
Attackers hacked Gunnar's Gmail account, even though, according to him, his password was secure and corresponded with the normal security standard of upper and lower case letters, numbers and special characters. They opened his account at 4 a.m.
Gunnar was abroad for a short time and had been using his account in Internet cafés during this period. It cannot be ruled out that his access data was stolen from an infected PC in one of these.
Shortly afterwards, the attackers sent every contact stored in Gunnar's account an email with an invitation to view a document.
The recipients should have already been suspicious at this point, as the message came in English from a German contact, contained errors and had no personal salutation or greeting.
The website that the recipients were being directed to looked like a Google Docs login page, but it is being used for phishing data. The attackers are hoping to get hold of non-Gmail data on this page as well.
The design of the website does not match the original Google page. The background image has been taken from a free, private website for Adobe Photoshop designs. The graphic with the Google logo has also been taken from the Internet and distorted, as it were, as the proportions are no longer correct – the image has been compressed horizontally.
The attackers also set filter functions in Gunnar's account. As soon as anyone responded to the spam email sent from Gunnar's account, the email was immediately deleted and did not appear in the inbox. The keywords used for the filter were "mail" and "document".
In this way the attackers tried to ensure that nobody could quickly inform and warn Gunnar via email.
But there was fortune for Gunnar in his misfortune: the attackers had not changed his password after logging in, so he still had access to his account. Obviously he changed his password as soon as he had logged in, to shut out the attackers.
Google offers its customers a website on which the most recent activity in a user account is logged. So Gunnar was able to see from the IP address of the night-time visit that the external login to his account was made from the Ruhr district.
Research shows that not only Gmail accounts have been compromised by this surge. Customers of other freemail providers have also been complaining that emails of this sort with offers concerning publications in Google Docs have been landing in their electronic inboxes over the last few weeks. The subject lines and text in the emails vary slightly from the example shown above, but the gist is always the same. Here are a few examples of other subject lines:
Experts at G Data Security Labs are trying to find out more about the attackers and have logged in to the phishing site using an existing account as a decoy. The attackers should have received this data. We are eager to see if we will hear from them.
Incidentally, visitors to the phishing site cannot view the document referenced in the email at all – not that we had really expected to be able to. A supposed error message appears instead, saying that the server is busy and that the request cannot be processed right now:
* We have changed the name for privacy reasons.