Solved

Friend's email has been hacked I believe

Posted on 2014-12-16
9
272 Views
Last Modified: 2014-12-16
I have received 2 emails in the last 2 weeks similar to the attached picture. I know that one of them just canceled his gmail account and signed up for an outlook account. Now this morning I received one from another person. Is there something that I can tell them to check on their computer? Run Malwarebytes? AntiSpyWare?

hacked gmail account
0
Comment
Question by:wcsjas
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40503031
It could be a "joe job" where the author forged the header record to make it appear as if it came from someone you know.

you need to turn on detailed or verbose headers and get analyze the header information.
0
 

Author Comment

by:wcsjas
ID: 40503041
Where do I do that? I looked in all my Gmail settings and didn't find anywhere to do that.
0
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 250 total points
ID: 40503051
Ask if they have been hacked.  If so, they should immediately change any passwords to those accounts and any passwords that resemble the ones one the accounts hacked.  Run chameleon from MBAM on their systems.  Running the svchost file in the chameleon directory kills rogue processes, updates the MBAM definitions and runs a scan.  They should also run a few rootkit detectors.  The one built into MBAM is pretty good, you can see links to others and reviews in my article:

http://www.experts-exchange.com/Software/Anti-Virus/A_2245-Anti-rootkit-software.html
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40503054
Log in to Gmail
Open the message you'd like to view headers for.
Click the down arrow next to Reply, at the top of the message pane.
Select Show Original.

The full headers will appear in a new window.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:wcsjas
ID: 40503074
This is what I found (with names removed for privacy) the email address and name was definitely his.

Delivered-To: @gmail.com
Received: by 10.70.79.230 with SMTP id m6csp595963pdx;
        Tue, 16 Dec 2014 08:39:00 -0800 (PST)
Return-Path: <@gmail.com>
Received-SPF: pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) client-ip=10.194.161.202
Authentication-Results: mr.google.com;
       spf=pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) smtp.mail=@gmail.com;
       dkim=pass header.i=@gmail.com
X-Received: from mr.google.com ([10.194.161.202])
        by 10.194.161.202 with SMTP id xu10mr43765000wjb.4.1418747939603 (num_hops = 1);
        Tue, 16 Dec 2014 08:38:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=Wp1dstk2Q1Qk9oCKBExJalORBCUkSGM4Oaa2Ji7tcXI=;
        b=vifKVo7qlrk3fix2ttV32yx+sB/+WcZXwfKjcumCtM0e3ZP4/NicPtfUZrxwsFnXK8
         EfwNnSIhb8lnpA5hTvk95N/tVqocOg1mBwyNFSFk1QQy9aeZA20MWGuu2rpHJ08IVhAV
         CdhGQZSlXyyZz+bLuIokfIxa3R0F57dBlTINDwTYVbsWzZZetjO8TCb9PACslRH/pMoR
         /GuM6HZzyJceTMHytx3NvqKSEPrhEAEzq3PxnzuFXVaf6LCL2y4T6LfNX9AyJUKevpQt
         kUfMdX2provWSfd1PQObeiEPeuwM1T2cg8BC07/s5R5kFBYVGn0g+kDSC9gaC4/3JcaG
         IWsg==
MIME-Version: 1.0
X-Received: by 10.194.161.202 with SMTP id xu10mr64539987wjb.4.1418747938592;
 Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Received: by 10.27.14.210 with HTTP; Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Date: Tue, 16 Dec 2014 08:38:58 -0800
Message-ID: <CAMcKkWv7SE4YEwow_XtgnKVcJKjziOC+vfkGf4-u8GKw9EWbsw@mail.gmail.com>
Subject: Re: FYI
From:  <@gmail.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=089e013d1f9ce7e9e0050a57fe0d
Bcc: @gmail.com

--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/plain; charset=UTF-8

Hello

I've shared a document with you, It's not an attachment -- it's stored
online at Google Drive
To open this document, Click Here <http://securedpages.biz/drive/>
http://securedpages.biz/drive/ <http://secureddocs.biz/>

and just sign in with your email to view.
It is very important.

--


--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello</div><div><br></div><div>I&#39;ve shared a docu=
ment with you, It&#39;s not an attachment -- it&#39;s stored online at Goog=
le Drive=C2=A0<br>To open this document,=C2=A0<a href=3D"http://securedpage=
s.biz/drive/" target=3D"_blank">Click Here</a>=C2=A0=C2=A0<a href=3D"http:/=
/secureddocs.biz/" target=3D"_blank">http://securedpages.biz/drive/</a></di=
v><div><br></div><div>and just sign in with your email to view.</div><div>I=
t is very important.</div><div><br></div>-- <br><div class=3D"gmail_signatu=
re"></div>
</div>

--089e013d1f9ce7e9e0050a57fe0d--
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40503080
it's hard to help when the IP addresses of the Received lines have been altered.
0
 

Author Comment

by:wcsjas
ID: 40503131
The only thing I altered was the names in front of @gmail.com
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40503149
i would have expected to see at least one external google IP.

in that case, have your friends change their respective passwords and do as Thomas suggested.
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 250 total points
ID: 40503165
This is the typical way the cryptowall virus is spread. So whatever you do, don't open the attachements. It's unlikely that your friend has sent the mail, but rather his old address is being spoofed and sent to you. It could even be that some other malware on your PC has been used to send your address book to the crooks, so they know what addresses you trust and which ones to spoof. So I suggest you run malwarebytes on your PC. Of course there's no harm by telling your friend to also scan his PC.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now