Solved

Friend's email has been hacked I believe

Posted on 2014-12-16
9
280 Views
Last Modified: 2014-12-16
I have received 2 emails in the last 2 weeks similar to the attached picture. I know that one of them just canceled his gmail account and signed up for an outlook account. Now this morning I received one from another person. Is there something that I can tell them to check on their computer? Run Malwarebytes? AntiSpyWare?

hacked gmail account
0
Comment
Question by:wcsjas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40503031
It could be a "joe job" where the author forged the header record to make it appear as if it came from someone you know.

you need to turn on detailed or verbose headers and get analyze the header information.
0
 

Author Comment

by:wcsjas
ID: 40503041
Where do I do that? I looked in all my Gmail settings and didn't find anywhere to do that.
0
 
LVL 29

Accepted Solution

by:
Thomas Zucker-Scharff earned 250 total points
ID: 40503051
Ask if they have been hacked.  If so, they should immediately change any passwords to those accounts and any passwords that resemble the ones one the accounts hacked.  Run chameleon from MBAM on their systems.  Running the svchost file in the chameleon directory kills rogue processes, updates the MBAM definitions and runs a scan.  They should also run a few rootkit detectors.  The one built into MBAM is pretty good, you can see links to others and reviews in my article:

http://www.experts-exchange.com/Software/Anti-Virus/A_2245-Anti-rootkit-software.html
0
IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

 
LVL 29

Expert Comment

by:Jan Springer
ID: 40503054
Log in to Gmail
Open the message you'd like to view headers for.
Click the down arrow next to Reply, at the top of the message pane.
Select Show Original.

The full headers will appear in a new window.
0
 

Author Comment

by:wcsjas
ID: 40503074
This is what I found (with names removed for privacy) the email address and name was definitely his.

Delivered-To: @gmail.com
Received: by 10.70.79.230 with SMTP id m6csp595963pdx;
        Tue, 16 Dec 2014 08:39:00 -0800 (PST)
Return-Path: <@gmail.com>
Received-SPF: pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) client-ip=10.194.161.202
Authentication-Results: mr.google.com;
       spf=pass (google.com: domain of @gmail.com designates 10.194.161.202 as permitted sender) smtp.mail=@gmail.com;
       dkim=pass header.i=@gmail.com
X-Received: from mr.google.com ([10.194.161.202])
        by 10.194.161.202 with SMTP id xu10mr43765000wjb.4.1418747939603 (num_hops = 1);
        Tue, 16 Dec 2014 08:38:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=Wp1dstk2Q1Qk9oCKBExJalORBCUkSGM4Oaa2Ji7tcXI=;
        b=vifKVo7qlrk3fix2ttV32yx+sB/+WcZXwfKjcumCtM0e3ZP4/NicPtfUZrxwsFnXK8
         EfwNnSIhb8lnpA5hTvk95N/tVqocOg1mBwyNFSFk1QQy9aeZA20MWGuu2rpHJ08IVhAV
         CdhGQZSlXyyZz+bLuIokfIxa3R0F57dBlTINDwTYVbsWzZZetjO8TCb9PACslRH/pMoR
         /GuM6HZzyJceTMHytx3NvqKSEPrhEAEzq3PxnzuFXVaf6LCL2y4T6LfNX9AyJUKevpQt
         kUfMdX2provWSfd1PQObeiEPeuwM1T2cg8BC07/s5R5kFBYVGn0g+kDSC9gaC4/3JcaG
         IWsg==
MIME-Version: 1.0
X-Received: by 10.194.161.202 with SMTP id xu10mr64539987wjb.4.1418747938592;
 Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Received: by 10.27.14.210 with HTTP; Tue, 16 Dec 2014 08:38:58 -0800 (PST)
Date: Tue, 16 Dec 2014 08:38:58 -0800
Message-ID: <CAMcKkWv7SE4YEwow_XtgnKVcJKjziOC+vfkGf4-u8GKw9EWbsw@mail.gmail.com>
Subject: Re: FYI
From:  <@gmail.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=089e013d1f9ce7e9e0050a57fe0d
Bcc: @gmail.com

--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/plain; charset=UTF-8

Hello

I've shared a document with you, It's not an attachment -- it's stored
online at Google Drive
To open this document, Click Here <http://securedpages.biz/drive/>
http://securedpages.biz/drive/ <http://secureddocs.biz/>

and just sign in with your email to view.
It is very important.

--


--089e013d1f9ce7e9e0050a57fe0d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello</div><div><br></div><div>I&#39;ve shared a docu=
ment with you, It&#39;s not an attachment -- it&#39;s stored online at Goog=
le Drive=C2=A0<br>To open this document,=C2=A0<a href=3D"http://securedpage=
s.biz/drive/" target=3D"_blank">Click Here</a>=C2=A0=C2=A0<a href=3D"http:/=
/secureddocs.biz/" target=3D"_blank">http://securedpages.biz/drive/</a></di=
v><div><br></div><div>and just sign in with your email to view.</div><div>I=
t is very important.</div><div><br></div>-- <br><div class=3D"gmail_signatu=
re"></div>
</div>

--089e013d1f9ce7e9e0050a57fe0d--
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40503080
it's hard to help when the IP addresses of the Received lines have been altered.
0
 

Author Comment

by:wcsjas
ID: 40503131
The only thing I altered was the names in front of @gmail.com
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40503149
i would have expected to see at least one external google IP.

in that case, have your friends change their respective passwords and do as Thomas suggested.
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 250 total points
ID: 40503165
This is the typical way the cryptowall virus is spread. So whatever you do, don't open the attachements. It's unlikely that your friend has sent the mail, but rather his old address is being spoofed and sent to you. It could even be that some other malware on your PC has been used to send your address book to the crooks, so they know what addresses you trust and which ones to spoof. So I suggest you run malwarebytes on your PC. Of course there's no harm by telling your friend to also scan his PC.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question