The past few weeks have been hellacious at Casa de la Spera…
I’ve been in computing since 1984. I have written more than I can remember without actually reviewing the stuff I’ve written. This includes seven years of columns on CompuServe’s Computing Pro forum as well as approximately 10,000 tips for Windows (95, 98, 98SE, NT, ME, 2000, and Windows 7), Internet Explorer, Office (95/97/2000/2007) and Windows-based Hardware, for WUGNET (The Windows User’s Group Network). I’ve written COUNTLESS software reviews for both Mac and Windows platforms; and I was nominated for Microsoft MVP for Windows Mobile at least twice between 2004 and 2007.
Yeah… I’m giving you the resume more for ME than for anyone else right now.
It started during the middle of October. I started seeing bounce notices hit my account, and I wasn’t certain why. Not all of them, or the delivery delay notices I got had the body of the original email with them. Some did. When I was able to look at what that was, it was clear that my Google Apps based email account had been compromised.
I immediately changed my password.
However, that didn’t resolve everything.
Gmail has a few different tools to help you protect your account if you think it’s been compromised, including signing out all web sessions. I did that and then changed my password – AGAIN – and signed back in. However, by that time, the damage had been done and Google had suspended my SMTP permissions. I couldn’t send any email. According to Google, I had sent over 5000 emails in the course of a 24 hour period.
At that point, I also noticed that my contact list had been increased by over 1500 entries, as well. Many of these were simply a strange looking address and nothing more. For example:
Many of the entries had either just the full email address as the contact name or firstname<dot>lastname as the contact name. Those were easy to spot and eliminate, though I had to go through my contact list at least 3-4 times. I didn’t get all of them, and somehow, they got repopulated (with different entries) a couple times. (I’m still pulling crap out of my contacts list…)
After upgrading my Google Apps instance from a grandfathered, less than 50 member free edition to a paid subscription, AND speaking with Google on this for over an hour, I submitted a ticket to get the account reinstated. It took them about two hours, but they put me back in business, and I was able to file a couple of articles with Soft32.
Things quieted down for about a week, and then it kicked in again, though this time, I was able to go through the process again, very quickly and then cut things off before I had sent 5000 emails. This went on – this back and forth – for about another week or so, then things just stopped.
Last weekend (the weekend of 2015-11-08), it started up again, and I got more bounce notices and some forwards back from a couple of people that my account had been hacked again.
That’s when I enabled two factor authentication on my Google Apps account and domain. Two factor authentication is where access to an online account requires not only the account user name and password, but also a validation token or code, usually sent to a mobile or smartphone. The validation token can also be sent via an authentication app.
At this point, I think I have control of the account again.
The bigger problems that remain –
- How was the account compromised more than once?
- How was it compromised after implementing a 13+ character (multi-chase, letters, numbers, and special character) password?
- What significance did the 1500+ additional address book entries play?
- Was there any hidden XML payload associated with any of the additional address book entries?
- When I deleted them, did I get them all?
- Would that even make a difference
- Did I pick up a key logger?
A key logger…
In fact, the boot drive isn’t even visible to the FixMeStick. Thankfully, the vendor is aware of the issue and they’re working on a resolution. FixMeStick owners will have their sticks updated automatically once the solution is published.
My other saving grace is that Time Machine apparently doesn’t have the same security measures placed on its drive as the boot drive on a Mac running the OS. FixMeStick has scanned my Time Machine backup drive and hasn’t found any malware.
The big point that everyone needs to understand, however, is that anyone and everyone can get malware from just about anywhere on the internet. Ad networks are a huge problem. Malware can flow through those and can infect your computer even from a site you know and trust. Products like FixMeStick are helpful ; but you’ve got to be careful, especially right now.
Both Windows 10 and OS X 10.11 El Capitan are new operating systems. Existing anti-malware products may not work correctly on these operating systems as of this writing. They may need some updates.
You may also have issues with anti-malware products that run while your computer is running from its boot drive. It’s very possible that malware on your PC may hide from your scanner – no matter how good it is – and it either may not be detected, or may not be removable.
Unfortunately, this isn’t like the 1990’s. Getting malware today can be devastating and life altering, if not life ruining. Phishing attacks and other data breaches can lead to identity theft, and some of the damage related to it, may be difficult to come back from.
The lessons learned here should be multi-fold:
- Mind where you surf
- Have some kind of malware scanner running, regardless of platform, and keep its definitions current
- Invest in some sort of offline, self-booting anti-malware solution so that stubborn threats can be removed without being activated