Recent Activity of a Hijacked Gmail Account

Updated: Added another hijacked account screenshot.

Earlier today a friend had their email account hacked and sent out spam emails. Typically I send the standard response of "Hey, your email was hacked and is sending out spam. You should change your password". This time it was a little different because it was a Gmail account and I could have access to it if I wanted, so I did. Gmail has a cool feature called Last account activity. If you are logged into your Gmail inbox and browse to the bottom right you will see a some text saying "Last account activity: some time ago" with a link under it saying Details. If you click on the Details link you will get a pop-up window with information on the accounts recent activity. You will be able to see access type, location via the IP address and concurrent sessions. Here is an example of one that I grabbed from Google Images.



image source

Google also has a non-pop-up version called "Recent Activity" that can be found at https://security.google.com/settings/security/activity. I always wanted to know what a hacked Gmail account looked like and what data I could gather from the Last account activity view. I have yet to figure out how the email and password were leaked. My initial thought was phishing but I'm kind of wondering if they got the credentials through another method. Below we have the Recent Account Activity of the account that was hijacked to send spam.
Hacked Last Account Activity
Let's do a quick timeline of events.
  1. July 18th the attacker logged into the account from a Romania IP.
  2. July 20 at 1:34 Google sends an email to the user saying they prevented a sign-in attempt. The event is not seen in the activity log. 
  3. July 20 at 1:34 the attacker passed a sign-in challenge from an IP (14.161.34.194) in Vietnam
  4. July 20 at 1:34 the attacker signed in using Chrome from a Windows machine from an IP (113.161.74.75) in Vietnam *
  5. July 20 at 1:37 the attacker sends the spam email.
  6. July 20 at 1:35 or 1:39** the attacker logged into the account from an IP in Columbia and changes the users password.
* It's still unclear to me why the attacker was able to log and get denied from the 113.161.74.75 IP
** The last account activity and recent activity have different times.   The images below can be used to help explain the timeline events. 
    Event 2 - Email Alert

    Event 3 - Original Sign In



    Event 4 -Switches IPs

    Event 6 - Changed Password
    This is cool data to look at and think about.  We can infer the first login from Romania was a test to validate the credentials. The credentials were then sold to a spammer. The spammer then attempted to log into the account from Vietnam. They passed a sign in challenge from one IP address. The attacker then switched IPs to another address in Vietnam. They were able to pass the sign in challenge and login. They then sent out the spam on the account. Once they sent out the spam the logged in from a Columbia and changed the password.

    From this data we know the attackers have multiple proxies that they can route their traffic through very quickly. Odds are automated/scripted. Vietnam is notable because I have been seeing it more and more frequently. Columbia seemed kind of like an outlier but it makes sense. Vietnam and Columbia (plus many other countries) have a large amount of pirated versions of the Windows Operating System. The piracy is due to the cost of living compared to the cost of a license version of Windows. Since these machines are pirated versions they do not get patched and are commonly exploited.


    We can also gather some interesting details about what Google thinks is suspicious. Note: The following is pure speculation on my part. Without having the logs I won't know exactly what happened.  The strangest and most surprising is that a log in from an American user from a Romania IP is not considered suspicious. Which brings up a good point that it is best not to rely on Gmail for alerting on suspicious activity. It's best to check the Last Account Activity yourself. It also looks like that Google uses a single events as indicators of suspicious activity.  For example an attacker can attempt to log in to an account get blocked, change IPs, successfully log in, send spam, log out, log in from Columbia and then change the password of the account. These could all be thought of as separate events. A couple of these events combined are very suspicious. Banks have been using a combination of Geo-location, activity and previous suspicious events to prevent bank fraud for years. It seems like an approach that could be helpful for alerting and preventing of hijacked accounts. Another thing I couldn't find was the option to report an account was compromised to Google if the user recovers their account. This datis valuable and could be used by Google to monitor the behavior of the attackers and proactively prevent further compromised accounts.

    Below is the whois information of the IPs for anyone that is curious.

     IP Information:

    79.117.53.21 
    Romania Bucharest Rcs & Rds Residential 
    inetnum:        79.117.0.0 - 79.117.127.255
    netname:        RO-RESIDENTIAL
    descr:          RCS & RDS Residential
    descr:          City: Oradea
    country:        RO
    admin-c:        CN19-RIPE
    tech-c:         CN19-RIPE
    tech-c:         RDS2012-RIPE
    status:         ASSIGNED PA
    mnt-by:         AS8708-MNT
    mnt-lower:      AS8708-MNT
    source:         RIPE # Filtered
    role:           RCS RDS
    address:        71-75 Dr. Staicovici
    address:        Bucharest / ROMANIA

    14.161.34.194
    Viet Nam Thanh Pho Ho Chi Minh Vietnam Post And Telecom Corporation 
    inetnum:        14.160.0.0 - 14.191.255.255
    netname:        VNPT-VNNIC-VN
    descr:          VietNam Post and Telecom Corporation
    descr:          57 Huynh Thuc Khang str, Dong Da Dist, Ha Noi
    country:        VN
    admin-c:        NXC1-AP
    tech-c:         KNH1-AP
    remarks:        for admin contact mail to Nguyen Xuan Cuong -->NXC1-AP
    remarks:        for Tech contact mail to Nguyen Hien Khanh --> KNH1-AP
    status:         Allocated portable
    changed:         20100816
    mnt-by:         MAINT-VN-VNNIC
    mnt-lower:      MAINT-VN-VNPT
    mnt-routes:     MAINT-VN-VNPT
    source:         APNIC


    113.161.74.75
    Viet Nam Thanh Pho Ho Chi Minh Vietnam Post And Telecom Corporation
    Resolve Host: mail.vietnamairport.vn
    inetnum:        113.161.0.0 - 113.161.255.255
    netname:        VNPT-NET
    country:        vn
    descr:          Dai IP dong su dung cho ket noi ADSL tai Ha Noi
    descr:          IP range use for ADSL Service of VNPT in Ha NOi
    admin-c:        VIG1-AP
    tech-c:         VIG1-AP
    status:         ALLOCATED NON-PORTABLE
    changed:         20100728
    mnt-by:         MAINT-VN-VNPT
    source:         APNIC
    route:          113.161.64.0/19
    descr:          VietNam Post and Telecom Corporation (VNPT)
    descr:          VNPT-AS-AP
    country:        VN
    origin:         AS4589
    9

    186.116.234.211
    netnum: 186.116/14
    status: allocated
    aut-num: N/A
    owner: COLOMBIA TELECOMUNICACIONES S.A. ESP
    ownerid: CO-CTSE-LACNIC
    responsible: Administradores Internet
    address: Transversal 60, 114, A 55
    address: N - BOGOTA - Cu
    country: CO
    phone: +57 1 5339833 []
    owner-c: CTE3
    tech-c: CTE3
    abuse-c: CTE3
    inetrev: 186.116/15
    nserver: DNS5.TELECOM.COM.CO
    nsstat: 20130718 AA
    nslastaa: 20130718
    nserver: DNS.TELECOM.COM.CO
    nsstat: 20130718 AA
    nslastaa: 20130718
    created: 20110325
    changed: 20110325


    Updated:
    Second account from a frined added.
    Similar patterns. A log in from Romania, same user agent, send spam, delete sent spam message and then change the password.

    2 comments:

    1. Automobile Security If you hide GPS tracking devices in your auto then you can be assured it is where you left it an all times. There are types of GPS tracking devices which use the mobile telephone network to update you mechanically or on request re their location. If your auto's sure to be engaging to burglars, say if you're sufficiently fortunate to own a Ferrari, then you will be able to receive an SMS with its location twenty-four / seven. http://www.healthcaresdiscussion.com/trackr-bravo/

      ReplyDelete
    2. If you are distressed or turn then you may pronounce your power doesn't bleed very comfortably. If you affect and let yourself emphasis go then you give effort your ability flows finer. Digest whatever unfathomable breaths or do something else so your ability can be allowed to course.Having solon creativity can forbear you in your adult being and cater you get heavenward in your occupation. It can meliorate you meliorate your personalised life by judgement ingenious solutions to your problems. These cardinal steps module ameliorate you to be author ingenious. http://www.webheathcare.com/alpha-zxt/

      ReplyDelete