Gmail Users Beware

Recently I discovered that a Gmail account I use for subscriptions to newsletters and similar non-critical content had been hacked by someone in China. That, by itself, isn't that interesting but there were some interesting aspects of the "attack".

I would like to think that I am fairly security savvy, given that is what I do for a living but this event has opened my eyes to how vigilant we must be as defenders and the true advantage attacker have over us.

I first discovered that this Gmail account had been compromised when I started receiving bounce-back messages from a strange email address - 451231738@qq.com. I know I didn't send any email address so I did some digging. It turns out that QQ is a popular instant messaging site in China. Hmmmm, that's not good. I then checked out the setting on my Gmail account and discovered what actually happened.

Typically, I view the email from this particular Gmail account on any of various other devices (iPad, laptop, etc.). As a result, I don't usually log in to Gmail itself. When I did, I was presented with a big, red flashy sign that said, basically, Danger Will Robinson, someone has recently logged into your account from China - click here to see what happened. I clicked there and found that my account had been accessed at least 3 times from China starting around 10 days before I detected the problem. That, of course, prompted additional investigation.

I looked in the setting of my Gmail account and found a lot of bad things. I first noticed that someone had set up the QQ email address as an address that mail sent to the Gmail account could be forwarded to. Next, I discovered that the password recovery email address was also set to the QQ email address. Finally, I found a number of filters set up to forward any email containing the words "password", "info", "account" and "paypal" would be sent automatically to the QQ account. Also, any email from @blizzard.com or @battle.net would be forwarded.

Given that I don't use this Gmail account for anything critical, I'm not terribly concerned about the impact of this hack. I suppose someone in China could steal my subscription to a newsletter or discussion group but that's not that big of a deal. There are a couple of things that really do have me concerned.

First, how did the attacker manage to compromise my account without me knowing about it? Perhaps my password could have been better but doesn't Google have a setting to prevent brute force attacks?

Second, it scares me that the attacker was able to modify the settings of my Gmail account such that I would not have found out about the attack if the QQ address hadn't been shut down. How many others don't log into the Gmail web site but rely on Mail.app, phone mail clients, Outlook or similar mail clients to get their mail?

Third, how many people use their Gmail accounts to conduct real business (either professional or personal)? How many people use Gmail to reset the passwords on their bank accounts, to pay bills, etc. This type of attack had little real negative impact on me but that we partially dumb luck in that I don't use Gmail for anything really important.

Finally, is this problem specific to Gmail? Are other web-based mail services less vulnerable? Equally vulnerable? More vulnerable?

To wrap things up, if you are reading this and use a web-based email service like Gmail, check you settings as soon as you can. I'm not saying you've been hacked but it is better to be safe than sorry. Remember to check the settings and change your password to these sites regularly.

And Google, if you are by any chance listening, please include an account lockout function (if you don't already have one) and please allow me to include a setting that alerts me if settings are changed. It doesn't have to be fancy - just a quick email stating that "we just wanted to let you know that your settings have been changed - if you didn't do this, you've been hacked!".