Friend's email has been hacked I believe

I have received 2 emails in the last 2 weeks similar to the attached picture. I know that one of them just canceled his gmail account and signed up for an outlook account. Now this morning I received one from another person. Is there something that I can tell them to check on their computer? Run Malwarebytes? AntiSpyWare?

hacked gmail account
wcsjasAsked:
Who is Participating?
 
Thomas Zucker-ScharffSolution GuideCommented:
Ask if they have been hacked.  If so, they should immediately change any passwords to those accounts and any passwords that resemble the ones one the accounts hacked.  Run chameleon from MBAM on their systems.  Running the svchost file in the chameleon directory kills rogue processes, updates the MBAM definitions and runs a scan.  They should also run a few rootkit detectors.  The one built into MBAM is pretty good, you can see links to others and reviews in my article:

http://www.experts-exchange.com/Software/Anti-Virus/A_2245-Anti-rootkit-software.html
0
 
Jan SpringerCommented:
It could be a "joe job" where the author forged the header record to make it appear as if it came from someone you know.

you need to turn on detailed or verbose headers and get analyze the header information.
0
 
wcsjasAuthor Commented:
Where do I do that? I looked in all my Gmail settings and didn't find anywhere to do that.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Jan SpringerCommented:
Log in to Gmail
Open the message you'd like to view headers for.
Click the down arrow next to Reply, at the top of the message pane.
Select Show Original.

The full headers will appear in a new window.
0
 
wcsjasAuthor Commented:
This is what I found (with names removed for privacy) the email address and name was definitely his.

Delivered-To: @gmail.com
Received: by 10.70.79.230 with SMTP id m6csp595963pdx;
        Tue, 16 Dec 2014 08:39:00 -0800 (PST)
Return-Path: <@gmail.com>
Received-SPF: pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) client-ip=10.194.161.202
Authentication-Results: mr.google.com;
       spf=pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) smtp.mail=@gmail.com;
       dkim=pass header.i=@gmail.com
X-Received: from mr.google.com ([10.194.161.202])
        by 10.194.161.202 with SMTP id xu10mr43765000wjb.4.1418747939603 (num_hops = 1);
        Tue, 16 Dec 2014 08:38:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=Wp1dstk2Q1Qk9oCKBExJalORBCUkSGM4Oaa2Ji7tcXI=;
        b=vifKVo7qlrk3fix2ttV32yx+sB/+WcZXwfKjcumCtM0e3ZP4/NicPtfUZrxwsFnXK8
         EfwNnSIhb8lnpA5hTvk95N/tVqocOg1mBwyNFSFk1QQy9aeZA20MWGuu2rpHJ08IVhAV
         CdhGQZSlXyyZz+bLuIokfIxa3R0F57dBlTINDwTYVbsWzZZetjO8TCb9PACslRH/pMoR
         /GuM6HZzyJceTMHytx3NvqKSEPrhEAEzq3PxnzuFXVaf6LCL2y4T6LfNX9AyJUKevpQt
         kUfMdX2provWSfd1PQObeiEPeuwM1T2cg8BC07/s5R5kFBYVGn0g+kDSC9gaC4/3JcaG
         IWsg==
MIME-Version: 1.0
X-Received: by 10.194.161.202 with SMTP id xu10mr64539987wjb.4.1418747938592;
 Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Received: by 10.27.14.210 with HTTP; Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Date: Tue, 16 Dec 2014 08:38:58 -0800
Message-ID: <CAMcKkWv7SE4YEwow_XtgnKVcJKjziOC+vfkGf4-u8GKw9EWbsw@mail.gmail.com>
Subject: Re: FYI
From:  <@gmail.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=089e013d1f9ce7e9e0050a57fe0d
Bcc: @gmail.com

--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/plain; charset=UTF-8

Hello

I've shared a document with you, It's not an attachment -- it's stored
online at Google Drive
To open this document, Click Here <http://securedpages.biz/drive/>
http://securedpages.biz/drive/ <http://secureddocs.biz/>

and just sign in with your email to view.
It is very important.

--


--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello</div><div><br></div><div>I&#39;ve shared a docu=
ment with you, It&#39;s not an attachment -- it&#39;s stored online at Goog=
le Drive=C2=A0<br>To open this document,=C2=A0<a href=3D"http://securedpage=
s.biz/drive/" target=3D"_blank">Click Here</a>=C2=A0=C2=A0<a href=3D"http:/=
/secureddocs.biz/" target=3D"_blank">http://securedpages.biz/drive/</a></di=
v><div><br></div><div>and just sign in with your email to view.</div><div>I=
t is very important.</div><div><br></div>-- <br><div class=3D"gmail_signatu=
re"></div>
</div>

--089e013d1f9ce7e9e0050a57fe0d--
0
 
Jan SpringerCommented:
it's hard to help when the IP addresses of the Received lines have been altered.
0
 
wcsjasAuthor Commented:
The only thing I altered was the names in front of @gmail.com
0
 
Jan SpringerCommented:
i would have expected to see at least one external google IP.

in that case, have your friends change their respective passwords and do as Thomas suggested.
0
 
rindiCommented:
This is the typical way the cryptowall virus is spread. So whatever you do, don't open the attachements. It's unlikely that your friend has sent the mail, but rather his old address is being spoofed and sent to you. It could even be that some other malware on your PC has been used to send your address book to the crooks, so they know what addresses you trust and which ones to spoof. So I suggest you run malwarebytes on your PC. Of course there's no harm by telling your friend to also scan his PC.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.