Gmail spam: an inside job?

Aleksandr Matrosov, Senior Virus Researcher at ESET Russia, has brought to our attention an avalanche of reports of hacked Gmail accounts.

While the exact nature of the hack isn't confirmed, it appears that spammers were able to access the victim's address books in order to send junk mail from the compromised accounts to their owner's contacts. Reports indicate that these are not simply emails with spoofed headers, since some of the victims report that they still have access to the messages in their Sent Mail or Bin (Trash) Folders.

The mails did not contain text apart from links such as the following (the cluster of question marks in square braces represents four apparently random digits: I've removed them to obscure malicious redirects).

ShilaTimpson[????].co.cc
ShanellTotman[????].co.cc
CarsonWelcome[????].co.cc
JaylaPeers[????].co.cc
CullenSenn[????].co.cc
RozanneBurlingame[????].co.cc
LibbieThorngren[???].co.cc
LanieIsenberg[????].co.cc
AllenFankhauser[???].co.cc

A typical example of such email looks something like this (adapted from an earlier report):

[Abbreviated and modified headers]
Sat, 17 Apr 2010 02:31:30 -0700 (PDT)
Message-ID: <[alphanumeric string]@mail.gmail.>
Subject:
From: [username] <[sender]@gmail.com>
To: [recipient1]@[domain], [recipient2]@[domain2]
Content-Type: text/plain; charset=ISO-8859-1 [Message body] AllenFankhauser5091.co.cc

These links turned out to be redirects to another site blacklisted by a number of blocklists such as SORBS, commonly associated with the spreading of pharmaceutical spam. Though the links listed above use the .cc domain, the Cocos (Keeling) Islands registration is open to anyone in the world, a fact commonly used by spammers and others not wishing to be too easily geographically identified. In fact, the links used were all seem to registered to the same individual and address in South Korea.

The compromised accounts seem to have been accessed via a mobile interface, using a range of IP addresses in a range of countries. Aleksandr tells us that this is probably an automated system operating through botnets:

81.193.41.161
71.77.155.8
188.2.236.108
68.199.130.213
89.74.141.89
91.66.29.148
77.49.70.114
78.112.85.249
78.144.33.133

Some of the users whose accounts seem to have been compromised insist that they are using strong passwords and operating systems other than MS Windows. However, one of the techniques used seems to have been the theft of authentication cookies from Gmail, for example, by using phishing XSS (Cross-Site Scripting).

A common feature of the reports is that victims say that the attacker didn't lock them out of their accounts by changing passwords. This isn't as positive as it sounds: it gives an attacker more chance of getting a second bite at the cherry without requiring him to reacquire the password once the victim has regained control of the account. It certainly doesn't prove, despite some speculation to the contrary, that the attack is bypassing password controls.

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://amtso.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
http://chainmailcheck.wordpress.com
http://smallbluegreenblog.wordpress.com/
 

Author David Harley, ESET

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
18 Apr 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.