• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 145
  • Last Modified:

My email was compromised. Fake message sent as from me.

I use gmail in Google Apps.  I am also using Outlook 2010 as my upfront GUI.  i just experienced a spoof.  A fake email as from me was sent to recipients in my address list.  I have now changed my password, though that might not be the problem.  My previous password was a randomly generated one done by my LastPass password manager.  It would have been impossible to guess.  But this spoof job was maybe done without their getting into my account.  So at this point I have ...
1. Changed the password
2. Run Adwcleaner and Junkware Removal Tool.  I plan to also run Malwarebytes Antimalware.

Should I send a real message to my whole list with an apology or something?

What else should I do?
0
Josh Christie
Asked:
Josh Christie
  • 8
  • 4
  • 2
  • +1
2 Solutions
 
Jonathan BriteSystem AdminCommented:
It was probably just spoofed as though it came from you but did not really come from you.  Can you please post the headers so we can take a look?  This is a common occurrence with many folks, kind of like Bill collectors using your own name/number on caller id when they try to call you.
0
 
Jonathan BriteSystem AdminCommented:
also, just in case, try running MalwareBytes AntiRootkit as well.  MBAR for short is available as a direct download from majorgeeks.  I love that tool.
0
 
KimputerCommented:
You need to check if the message came from your computer, came from another server or came from Google's own server. You have to ask one of the recipients to send you that email back to you WITH FULL HEADEERS:

Header points to your computer: Clean computer (NOT IN Windows! Scan using boot cd or USB from Avast/AVG/etc/etc, run from 2 different companies to be totally sure)
Header points to Google: Your password WAS somehow intercepted and used. Changing password might provide a solution, as long as you know how it leaked. If you don't know how it leaked, it might still pose a problem, as it might happen again (keylogger on your pc? phishing?). Scan computer just to be sure (see above point).
Header points to random IP number (probably foreign): Somehow your contact details were leaked (maybe you signed into a website with your gmail username/password?) Did you give access to your gmail through a third party website or plugin? Change Gmail password is necessary, as is scanning your PC. However, your contact details are now saved and put in a database to be sold to marketeers/spammers. It might happen again, and it will be totally out of your control.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Josh ChristieAuthor Commented:
One of my contacts forwarded this spoof email to me.  Here it is.
eReport-email.msg
spoof.txt
0
 
David Johnson, CD, MVPOwnerCommented:
is your machines ip address 10.50.241.35? if so then your machine was compromised.  BTW your emaii is on a blacklist
0
 
Josh ChristieAuthor Commented:
Yes, I believe my IP is 10.50.241.35.  If I compare the email I attached above with a perfectly legitimate one, they both show that IP.  BUT, I think I misled you.  My friend forwarded to me the fake email.  That's what I attached above.  So I believe you are reading the header for my friend's forwarding email to me.  Since last Friday I have been able to obtain the headers for the fake email itself as another friend received it.  I am now attaching that below.  This should be a clean document, not contaminated by forwarding information.  It looks to me as though my IP does not appear in this document.  But you are the experts.  What do you read from it?
0
 
Josh ChristieAuthor Commented:
Ooops... Here is the attachment.
fake.txt
0
 
KimputerCommented:
Still all mostly internal IP numbers, which suggest something in your company has been compromised. Please trace down this IP's 10.50.93.6  workstation and check what's going on there.
0
 
Josh ChristieAuthor Commented:
All of our workstations' IPs begin with 192.168.
Incoming messages all seem to show 10.50.241.35, so that seems to have something to do with my incoming email.  
If I look at the headers for a typical email that I sent or an email that I receive, neither of them has 10.50.93.6 anywhere in the text.  Could that be the IP of the hacker who imitated me?
0
 
David Johnson, CD, MVPOwnerCommented:
the message originated via a web browser. so you email account has been compromised.. time to change passwords and enable 2 factor authentication
0
 
Josh ChristieAuthor Commented:
I have changed my password since the event occurred.  My password manager creates a password that is a mixture of letters, cases, numbers, and characters... impossible for anyone to guess.  But anyway I have changed it.  So how safe am I now?
0
 
KimputerCommented:
David is correct, seems those 10.50.x.x IP's were Google's internal servers. Therefore your password change should already have solved it.
0
 
Josh ChristieAuthor Commented:
I grade this as a B because I can only be sure it's solved after a reasonable time passes with no new issue.  Thanks
0
 
KimputerCommented:
That's no problem. Hope you took David's advice on the two factor authentication from Google, as it will add an extra safe warm fuzzy security blanket to comfort you.
0
 
Josh ChristieAuthor Commented:
Yes, thanks, I learning about Google's 2-step verification.
0
 
Josh ChristieAuthor Commented:
Got it... thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 8
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now