Friend's email has been hacked I believe

I have received 2 emails in the last 2 weeks similar to the attached picture. I know that one of them just canceled his gmail account and signed up for an outlook account. Now this morning I received one from another person. Is there something that I can tell them to check on their computer? Run Malwarebytes? AntiSpyWare?

hacked gmail account
wcsjasAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Thomas Zucker-ScharffConnect With a Mentor Systems AnalystCommented:
Ask if they have been hacked.  If so, they should immediately change any passwords to those accounts and any passwords that resemble the ones one the accounts hacked.  Run chameleon from MBAM on their systems.  Running the svchost file in the chameleon directory kills rogue processes, updates the MBAM definitions and runs a scan.  They should also run a few rootkit detectors.  The one built into MBAM is pretty good, you can see links to others and reviews in my article:

http://www.experts-exchange.com/Software/Anti-Virus/A_2245-Anti-rootkit-software.html
0
 
Jan SpringerCommented:
It could be a "joe job" where the author forged the header record to make it appear as if it came from someone you know.

you need to turn on detailed or verbose headers and get analyze the header information.
0
 
wcsjasAuthor Commented:
Where do I do that? I looked in all my Gmail settings and didn't find anywhere to do that.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Jan SpringerCommented:
Log in to Gmail
Open the message you'd like to view headers for.
Click the down arrow next to Reply, at the top of the message pane.
Select Show Original.

The full headers will appear in a new window.
0
 
wcsjasAuthor Commented:
This is what I found (with names removed for privacy) the email address and name was definitely his.

Delivered-To: @gmail.com
Received: by 10.70.79.230 with SMTP id m6csp595963pdx;
        Tue, 16 Dec 2014 08:39:00 -0800 (PST)
Return-Path: <@gmail.com>
Received-SPF: pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) client-ip=10.194.161.202
Authentication-Results: mr.google.com;
       spf=pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) smtp.mail=@gmail.com;
       dkim=pass header.i=@gmail.com
X-Received: from mr.google.com ([10.194.161.202])
        by 10.194.161.202 with SMTP id xu10mr43765000wjb.4.1418747939603 (num_hops = 1);
        Tue, 16 Dec 2014 08:38:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=Wp1dstk2Q1Qk9oCKBExJalORBCUkSGM4Oaa2Ji7tcXI=;
        b=vifKVo7qlrk3fix2ttV32yx+sB/+WcZXwfKjcumCtM0e3ZP4/NicPtfUZrxwsFnXK8
         EfwNnSIhb8lnpA5hTvk95N/tVqocOg1mBwyNFSFk1QQy9aeZA20MWGuu2rpHJ08IVhAV
         CdhGQZSlXyyZz+bLuIokfIxa3R0F57dBlTINDwTYVbsWzZZetjO8TCb9PACslRH/pMoR
         /GuM6HZzyJceTMHytx3NvqKSEPrhEAEzq3PxnzuFXVaf6LCL2y4T6LfNX9AyJUKevpQt
         kUfMdX2provWSfd1PQObeiEPeuwM1T2cg8BC07/s5R5kFBYVGn0g+kDSC9gaC4/3JcaG
         IWsg==
MIME-Version: 1.0
X-Received: by 10.194.161.202 with SMTP id xu10mr64539987wjb.4.1418747938592;
 Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Received: by 10.27.14.210 with HTTP; Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Date: Tue, 16 Dec 2014 08:38:58 -0800
Message-ID: <CAMcKkWv7SE4YEwow_XtgnKVcJKjziOC+vfkGf4-u8GKw9EWbsw@mail.gmail.com>
Subject: Re: FYI
From:  <@gmail.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=089e013d1f9ce7e9e0050a57fe0d
Bcc: @gmail.com

--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/plain; charset=UTF-8

Hello

I've shared a document with you, It's not an attachment -- it's stored
online at Google Drive
To open this document, Click Here <http://securedpages.biz/drive/>
http://securedpages.biz/drive/ <http://secureddocs.biz/>

and just sign in with your email to view.
It is very important.

--


--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello</div><div><br></div><div>I&#39;ve shared a docu=
ment with you, It&#39;s not an attachment -- it&#39;s stored online at Goog=
le Drive=C2=A0<br>To open this document,=C2=A0<a href=3D"http://securedpage=
s.biz/drive/" target=3D"_blank">Click Here</a>=C2=A0=C2=A0<a href=3D"http:/=
/secureddocs.biz/" target=3D"_blank">http://securedpages.biz/drive/</a></di=
v><div><br></div><div>and just sign in with your email to view.</div><div>I=
t is very important.</div><div><br></div>-- <br><div class=3D"gmail_signatu=
re"></div>
</div>

--089e013d1f9ce7e9e0050a57fe0d--
0
 
Jan SpringerCommented:
it's hard to help when the IP addresses of the Received lines have been altered.
0
 
wcsjasAuthor Commented:
The only thing I altered was the names in front of @gmail.com
0
 
Jan SpringerCommented:
i would have expected to see at least one external google IP.

in that case, have your friends change their respective passwords and do as Thomas suggested.
0
 
rindiConnect With a Mentor Commented:
This is the typical way the cryptowall virus is spread. So whatever you do, don't open the attachements. It's unlikely that your friend has sent the mail, but rather his old address is being spoofed and sent to you. It could even be that some other malware on your PC has been used to send your address book to the crooks, so they know what addresses you trust and which ones to spoof. So I suggest you run malwarebytes on your PC. Of course there's no harm by telling your friend to also scan his PC.
0
All Courses

From novice to tech pro — start learning today.