English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeBlogNewsApril 20 2010Mass hack attack or a Gmail bug?

Mass hack attack or a Gmail bug?

Tatyana Nikitina
Blogger
Posted April 20, 14:42  GMT
Tags: Spammer techniques
0.2
 

For over a week users of Gmail have been exchanging stories about incidents of email accounts being compromised and the uncontrolled distribution of spam, trying to guess what’s behind this strange epidemic.

The spam mailings are being sent from hacked accounts to addresses that the account owners have communicated with – these are primarily addresses from the contact list. There is no message subject and the body contains nothing more than a link to an online drug store in the .co.cc domain. This is a redirect to the recently registered website mrapgyan.net which, incidentally, doesn’t work. A copy of the message is saved to the “Sent Mail” folder just like any other sent message, and sometimes it can be found in the “Trash” folder. Some of the messages don’t make it to their recipients and remain flagged as undelivered.

It turns out that every time the spammers connected to someone’s account they did so via a mobile interface and most probably using bots. The IP addresses used to gain unauthorized access were in locations dotted around the world – the USA, Western Europe, the Middle East, Asia, Africa…

It’s worth pointing out that the cybercriminals only used their victims’ contacts to send out spam – they didn’t modify passwords to email accounts and didn’t delete any messages or contact lists.

It remains to be seen what connects all the victims. Active accounts were targeted as well as those that have lain dormant for some time. Password strength and the presence or type of antivirus solution also appears to play no role. No malware was found on the majority of affected computers. The operating systems also varied, with XP, Windows 7, Windows Vista, Mac OS, and various versions of Linux in combination with browsers such as IE, Firefox, Opera, and Chrome.

The number of compromised accounts has not been determined. Google is keeping quiet for the moment – they are supposedly investigating. In the meantime, all users of Gmail are advised to check their recent account activity, change their passwords, unclick the “Stay signed in” box on all their computers and sign out when a session ends.

PS from Sergey Golovanov:

The domain mrapgyan.net, which is where the link in the spam message redirects to, was registered with directions to:

DNS1: ns1.u7d.ru
DNS2: ns2.pharmacyhealthmedsnow.eu
(http://www.robtex.com/dns/mrapgyan.net.html#whois)

What does that mean?
Well, virus analysts know that three-character domains of [letter][number][letter] are linked to the spread of Bredolab. And pharmacyhealthmedsnow.eu obviously points to spam advertising medications.


4 comments

Oldest first
Newest first
Threaded view
Table view
 

port22

2010 Apr 20, 19:45
0
 

Facebook Connection?

This recently happened to an associate of mine in Japan. In addition to the emails with the drug store links, she found a few in her sent items with the text below:

----------
subject: HELP!!!
Sorry i didn't inform you about our traveling, we presently in London
UK stranded.Got Mugged last night at a gun point all cash, credit
card,cell phone and valuable things where stolen away from us during
the Robbery I will like you to assist us with a soft loan urgently
with the sum of $2000.we need to sort out the hotel bills and get
ourselves back home. we will appreciate whatever you can afford, i
promise to pay back as soon as i return, Please let me know if you can
help...

Reply asap
----------

Her Facebook account was also taken over and the integrated Facebook chat hijacked to distribute similar messages to the one above. Her hotmail account was also compromised.

No trace of malware on her computer and the only link I've been able to discern is she used Facebook's contacts importer for both Gmail and Hotmail, but I'm not sure of the timeframe.

I'm pretty sure that it's the same issue; the links in many of the outgoing emails are the same you referenced above.

Reply    

Shannon

2010 Apr 21, 02:18
1
 

Same thing happened to me

Yesterday, my gmail account was taken over. (As well as my yahoo email which was linked.) The email was sent to all of my contacts saying I was mugged, in U.K., and asking for money. They then went on to Facebook and started contacting my friends through Facebook chat with the same story.

I really can't figure out how this happened because I consider myself fairly tech-savvy, and not naive enough to give out personal information on just any site.
However, I did check my email using the mobile web on my phone right before the spammers took over my account. The connection may not be secure. I think it may be worth looking in to as to whether this has anything to do with the current epidemic of hacked gmail accounts. They may have designed a bot to steal non-encrypted login info sent via mobile web.

One of my professors nearly sent the money! Hopefully, hacked users' friends are aware enough to know better.

Reply    

Mm

2010 Apr 23, 02:52
0
 

Me Too

I had one of my AOHell accounts hijacked last week and had mass emails sent out to recent contacts, not old ones though, just ones I had recent communications with. Like others, my password was not changed and there were no viruses or trojans detected on my computer. The emails sent out were blank except for a link to some pharmaceutical site. I am not sure how I got targeted. The only other email provider I use is through my ISP. We do not use Gmail, Yahoo, Hotmail, or any other email providers. My other half has a facebook page, but it is not connected in any way to the name that was hijacked. Changing the password seems to have solved the problem for now. Things that make ya go Hmmmmm......

Reply    

Thomas D. Nielsen

2011 Apr 30, 10:22
0
 

I have been under this attack the recent week .. :-[[

- and kind of thanks for the advice about the trash folder where I have now found my lost emails :)

But I hope some folks will read this as I am puzzled by the dates of theese attacks. I have been attacked around the 20th of april, and as I can tell from this thread theese dates is re-occuoring with the dates from last year also being around 20th of April???

I hope someone will pick this message up and find out if there is date-set virus that is laying on one the Gmail-account-servers or what??

Common front against hackers and/or worse!! /Thomas

Reply    
If you would like to comment on this article you must first
login



Print
Bookmark and Share
Share

Analysis

Spam report: December 2011
Spam report: November 2011
Spam in Q3 2011
Spam in Q2 2011
Spam in the First Quarter of 2011

Blog

Gaddafi’s death in spam
Spam and YouTube: a long-term relationship
SQL for dummies
Lab Matters - Malware in Spam Messages
Facebook scams becoming increasingly multilingual

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search