« CoverItLive Event on Social Networking Security | Main | Jack Newsham »

Attackers hit close to home.

My wife Sophy's gmail account started spewing spam this morning to everyone in
her sent mail folder. Given that my wife has been working in technology for
about as long as I have been in information security, and specifically three
years in anti-spam, I was both slightly intrigued and rather miffed when I
received the following message in my inbox:

outbound_spam

If this were a PC laptop, I would chalk this up to a desktop compromise. There
has not been a significant number of reports of OSX malware that does address
book scraping, making this possibility rather remote. I had Sophy immediately
rotate her gmail password, log in, and pass over a screenshot of her access
history:

access_history

If we take a closer look at 123.12.254.155, we can see the IP doesn't exactly
reside in San Francisco:

route:        123.8.0.0/13
descr:        CNC Group CHINA169 Henan Province Network
country:      CN
origin:       AS4837
mnt-by:       MAINT-CNCGROUP-RR
changed:      abuse@cnc-noc.net 20070111
source:       APNIC

I am pretty certain that neither of us were in China this morning, and at this
point I was certain that her desktop was safe as the compromise likely affected her
webmail account only. I later discovered that Sophy had used similar passwords
on multiple websites, leading me to believe that one of the many websites she
accessed was compromised, handing the attacker a legitimate Gmail login (her
e-mail address) and password.

The moral of the story is that you absolutely have to use a different password
for each and every website you use, or at least cluster your accounts based
upon attack propagation tolerance. In other words, you can use the same
password across multiple junk message boards, but doing the same across
multiple financial websites would be Bad.

Oh, and the attackers didn't just send spam from her mail account, they also
deleted all her mail on Gmail. Because Sophy maintains backups of her mail, a
potentially stressful day was avoided. Oh yeah, thats the other moral of the
story: maintain good backups, please.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

About

This page contains a single entry from the blog posted on July 14, 2008 11:35 PM.

The previous post in this blog was CoverItLive Event on Social Networking Security.

The next post in this blog is Jack Newsham.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.33