Recent Activity of a Hijacked Gmail Account

Updated: Added another hijacked account screenshot.

Earlier today a friend had their email account hacked and sent out spam emails. Typically I send the standard response of "Hey, your email was hacked and is sending out spam. You should change your password". This time it was a little different because it was a Gmail account and I could have access to it if I wanted, so I did. Gmail has a cool feature called Last account activity. If you are logged into your Gmail inbox and browse to the bottom right you will see a some text saying "Last account activity: some time ago" with a link under it saying Details. If you click on the Details link you will get a pop-up window with information on the accounts recent activity. You will be able to see access type, location via the IP address and concurrent sessions. Here is an example of one that I grabbed from Google Images.



image source

Google also has a non-pop-up version called "Recent Activity" that can be found at https://security.google.com/settings/security/activity. I always wanted to know what a hacked Gmail account looked like and what data I could gather from the Last account activity view. I have yet to figure out how the email and password were leaked. My initial thought was phishing but I'm kind of wondering if they got the credentials through another method. Below we have the Recent Account Activity of the account that was hijacked to send spam.

Hacked Last Account Activity

Let's do a quick timeline of events.

1. July 18th the attacker logged into the account from a Romania IP.
2. July 20 at 1:34 Google sends an email to the user saying they prevented a sign-in attempt. The event is not seen in the activity log. 
3. July 20 at 1:34 the attacker passed a sign-in challenge from an IP (14.161.34.194) in Vietnam
4. July 20 at 1:34 the attacker signed in using Chrome from a Windows machine from an IP (113.161.74.75) in Vietnam *
5. July 20 at 1:37 the attacker sends the spam email.
6. July 20 at 1:35 or 1:39** the attacker logged into the account from an IP in Columbia and changes the users password.

* It's still unclear to me why the attacker was able to log and get denied from the 113.161.74.75 IP
** The last account activity and recent activity have different times.   The images below can be used to help explain the timeline events. 

Event 2 - Email Alert

Event 3 - Original Sign In

Event 4 -Switches IPs

Event 6 - Changed Password

This is cool data to look at and think about.  We can infer the first login from Romania was a test to validate the credentials. The credentials were then sold to a spammer. The spammer then attempted to log into the account from Vietnam. They passed a sign in challenge from one IP address. The attacker then switched IPs to another address in Vietnam. They were able to pass the sign in challenge and login. They then sent out the spam on the account. Once they sent out the spam the logged in from a Columbia and changed the password.

From this data we know the attackers have multiple proxies that they can route their traffic through very quickly. Odds are automated/scripted. Vietnam is notable because I have been seeing it more and more frequently. Columbia seemed kind of like an outlier but it makes sense. Vietnam and Columbia (plus many other countries) have a large amount of pirated versions of the Windows Operating System. The piracy is due to the cost of living compared to the cost of a license version of Windows. Since these machines are pirated versions they do not get patched and are commonly exploited.


We can also gather some interesting details about what Google thinks is suspicious. Note: The following is pure speculation on my part. Without having the logs I won't know exactly what happened.  The strangest and most surprising is that a log in from an American user from a Romania IP is not considered suspicious. Which brings up a good point that it is best not to rely on Gmail for alerting on suspicious activity. It's best to check the Last Account Activity yourself. It also looks like that Google uses a single events as indicators of suspicious activity.  For example an attacker can attempt to log in to an account get blocked, change IPs, successfully log in, send spam, log out, log in from Columbia and then change the password of the account. These could all be thought of as separate events. A couple of these events combined are very suspicious. Banks have been using a combination of Geo-location, activity and previous suspicious events to prevent bank fraud for years. It seems like an approach that could be helpful for alerting and preventing of hijacked accounts. Another thing I couldn't find was the option to report an account was compromised to Google if the user recovers their account. This datis valuable and could be used by Google to monitor the behavior of the attackers and proactively prevent further compromised accounts.

Below is the whois information of the IPs for anyone that is curious.

 IP Information:

79.117.53.21 
Romania Bucharest Rcs & Rds Residential 
inetnum:        79.117.0.0 - 79.117.127.255
netname:        RO-RESIDENTIAL
descr:          RCS & RDS Residential
descr:          City: Oradea
country:        RO
admin-c:        CN19-RIPE
tech-c:         CN19-RIPE
tech-c:         RDS2012-RIPE
status:         ASSIGNED PA
mnt-by:         AS8708-MNT
mnt-lower:      AS8708-MNT
source:         RIPE # Filtered
role:           RCS RDS
address:        71-75 Dr. Staicovici
address:        Bucharest / ROMANIA

14.161.34.194
Viet Nam Thanh Pho Ho Chi Minh Vietnam Post And Telecom Corporation 
inetnum:        14.160.0.0 - 14.191.255.255
netname:        VNPT-VNNIC-VN
descr:          VietNam Post and Telecom Corporation
descr:          57 Huynh Thuc Khang str, Dong Da Dist, Ha Noi
country:        VN
admin-c:        NXC1-AP
tech-c:         KNH1-AP
remarks:        for admin contact mail to Nguyen Xuan Cuong -->NXC1-AP
remarks:        for Tech contact mail to Nguyen Hien Khanh --> KNH1-AP
status:         Allocated portable
changed:         20100816
mnt-by:         MAINT-VN-VNNIC
mnt-lower:      MAINT-VN-VNPT
mnt-routes:     MAINT-VN-VNPT
source:         APNIC

113.161.74.75
Viet Nam Thanh Pho Ho Chi Minh Vietnam Post And Telecom Corporation
Resolve Host: mail.vietnamairport.vn
inetnum:        113.161.0.0 - 113.161.255.255
netname:        VNPT-NET
country:        vn
descr:          Dai IP dong su dung cho ket noi ADSL tai Ha Noi
descr:          IP range use for ADSL Service of VNPT in Ha NOi
admin-c:        VIG1-AP
tech-c:         VIG1-AP
status:         ALLOCATED NON-PORTABLE
changed:         20100728
mnt-by:         MAINT-VN-VNPT
source:         APNIC
route:          113.161.64.0/19
descr:          VietNam Post and Telecom Corporation (VNPT)
descr:          VNPT-AS-AP
country:        VN
origin:         AS45899

186.116.234.211
netnum: 186.116/14
status: allocated
aut-num: N/A
owner: COLOMBIA TELECOMUNICACIONES S.A. ESP
ownerid: CO-CTSE-LACNIC
responsible: Administradores Internet
address: Transversal 60, 114, A 55
address: N - BOGOTA - Cu
country: CO
phone: +57 1 5339833 []
owner-c: CTE3
tech-c: CTE3
abuse-c: CTE3
inetrev: 186.116/15
nserver: DNS5.TELECOM.COM.CO
nsstat: 20130718 AA
nslastaa: 20130718
nserver: DNS.TELECOM.COM.CO
nsstat: 20130718 AA
nslastaa: 20130718
created: 20110325
changed: 20110325

Updated:
Second account from a frined added.

Similar patterns. A log in from Romania, same user agent, send spam, delete sent spam message and then change the password.