Link to home
Avatar of wcsjas
wcsjasFlag for United States of America

asked on

Friend's email has been hacked I believe

I have received 2 emails in the last 2 weeks similar to the attached picture. I know that one of them just canceled his gmail account and signed up for an outlook account. Now this morning I received one from another person. Is there something that I can tell them to check on their computer? Run Malwarebytes? AntiSpyWare?

User generated image
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

It could be a "joe job" where the author forged the header record to make it appear as if it came from someone you know.

you need to turn on detailed or verbose headers and get analyze the header information.
Avatar of wcsjas

ASKER

Where do I do that? I looked in all my Gmail settings and didn't find anywhere to do that.
ASKER CERTIFIED SOLUTION
Avatar of Thomas Zucker-Scharff
Thomas Zucker-Scharff
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Log in to Gmail
Open the message you'd like to view headers for.
Click the down arrow next to Reply, at the top of the message pane.
Select Show Original.

The full headers will appear in a new window.
Avatar of wcsjas

ASKER

This is what I found (with names removed for privacy) the email address and name was definitely his.

Delivered-To: @gmail.com
Received: by 10.70.79.230 with SMTP id m6csp595963pdx;
        Tue, 16 Dec 2014 08:39:00 -0800 (PST)
Return-Path: <@gmail.com>
Received-SPF: pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) client-ip=10.194.161.202
Authentication-Results: mr.google.com;
       spf=pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) smtp.mail=@gmail.com;
       dkim=pass header.i=@gmail.com
X-Received: from mr.google.com ([10.194.161.202])
        by 10.194.161.202 with SMTP id xu10mr43765000wjb.4.1418747939603 (num_hops = 1);
        Tue, 16 Dec 2014 08:38:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=Wp1dstk2Q1Qk9oCKBExJalORBCUkSGM4Oaa2Ji7tcXI=;
        b=vifKVo7qlrk3fix2ttV32yx+sB/+WcZXwfKjcumCtM0e3ZP4/NicPtfUZrxwsFnXK8
         EfwNnSIhb8lnpA5hTvk95N/tVqocOg1mBwyNFSFk1QQy9aeZA20MWGuu2rpHJ08IVhAV
         CdhGQZSlXyyZz+bLuIokfIxa3R0F57dBlTINDwTYVbsWzZZetjO8TCb9PACslRH/pMoR
         /GuM6HZzyJceTMHytx3NvqKSEPrhEAEzq3PxnzuFXVaf6LCL2y4T6LfNX9AyJUKevpQt
         kUfMdX2provWSfd1PQObeiEPeuwM1T2cg8BC07/s5R5kFBYVGn0g+kDSC9gaC4/3JcaG
         IWsg==
MIME-Version: 1.0
X-Received: by 10.194.161.202 with SMTP id xu10mr64539987wjb.4.1418747938592;
 Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Received: by 10.27.14.210 with HTTP; Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Date: Tue, 16 Dec 2014 08:38:58 -0800
Message-ID: <CAMcKkWv7SE4YEwow_XtgnKVcJKjziOC+vfkGf4-u8GKw9EWbsw@mail.gmail.com>
Subject: Re: FYI
From:  <@gmail.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=089e013d1f9ce7e9e0050a57fe0d
Bcc: @gmail.com

--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/plain; charset=UTF-8

Hello

I've shared a document with you, It's not an attachment -- it's stored
online at Google Drive
To open this document, Click Here <http://securedpages.biz/drive/>
http://securedpages.biz/drive/ <http://secureddocs.biz/>

and just sign in with your email to view.
It is very important.

--


--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello</div><div><br></div><div>I&#39;ve shared a docu=
ment with you, It&#39;s not an attachment -- it&#39;s stored online at Goog=
le Drive=C2=A0<br>To open this document,=C2=A0<a href=3D"http://securedpage=
s.biz/drive/" target=3D"_blank">Click Here</a>=C2=A0=C2=A0<a href=3D"http:/=
/secureddocs.biz/" target=3D"_blank">http://securedpages.biz/drive/</a></di=
v><div><br></div><div>and just sign in with your email to view.</div><div>I=
t is very important.</div><div><br></div>-- <br><div class=3D"gmail_signatu=
re"></div>
</div>

--089e013d1f9ce7e9e0050a57fe0d--
it's hard to help when the IP addresses of the Received lines have been altered.
Avatar of wcsjas

ASKER

The only thing I altered was the names in front of @gmail.com
i would have expected to see at least one external google IP.

in that case, have your friends change their respective passwords and do as Thomas suggested.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.