One day, I opened up my e-mail and found something unexpected:
My inbox showed a bunch of emails that appear to be from my account (“me” in the left column) and sent with no subject line between 3:36 AM and 3:40 AM. I was definitely not awake at that time, and I was definitely not sending e-mails.
I opened up one of these e-mails to see what the content was.
What is this?
It’s a spam e-mail – sent from my account – to a number of people in my address book. Each of the other messages (15-20 in all) were similar except sent to other people in my address book. Each message contains a link to a web site that sells cheap pharmaceuticals, such as Viagra.
I had also received e-mail from people who were up earlier than myself and had written back to let me know that something weird was happening with my account.
If you’ve ever been a victim of a scheme like this, you know that the feeling is similar to having your car or house broken into. You probably feel insecure, violated, and (in my case) angry.
In addition, my geek curiosity made me wonder how this possibly could have happened. I looked at the following evidence:
- These e-mails had my name and my e-mail address in the From: field.
- This means the person who did this was either logged into my account, or else was good at forging e-mails to appear as if they were coming from my account.
- These e-mails were sent to people in my personal address book.
- This is more evidence that the person was logged into my account.
Neither of these points is conclusive. It is possible to forge e-mails, and it is also possible to guess somebody’s address book contacts based on publicly available information, such as what company you work at, who your Facebook friends are, etc.
Luckily, I am using Gmail, and Google provides a really easy way to see if somebody other than me logged into my account. At the bottom of Gmail, there is a little link that lets your view your login history. Here’s a picture of it, with a bright red arrow added since it’s so small you might miss it.
You see it? It’s called Details. That link will show you when you logged in and where you logged in from.
When I clicked that link this morning, it showed me the following information:
The smoking gun is highlighted in light blue towards the middle. Somebody logged into my Gmail account from Slovakia at 3:52 AM.
I’ve never been to Slovakia. I don’t know anybody in Slovakia. I can not even point out Slovakia on a map. So now I know for certain that my account was definitely broken into.
How did they get my password?
I will never know how my password was stolen, but I can conjecture.
The average internet user will use the same username and password on multiple sites. This is a really bad idea, but people do it anyway. Some do not know better, and others [myself included] just get lazy. I have at least 150 separate user accounts on the websites that I visit. Remembering which password works with which site is hard, but if I use the same password for multiple accounts then it gets easier.
If I use my Gmail password on another website — let’s call it “W” — then anybody who knows my W password also knows my Gmail password. A bad guy might be able to figure out my W password in several different ways. (This list is roughly in order of the actual likelihood of any of these things actually happening. I.e., #1 is very common, while #4 is less common.)
- W may be a shill: a fake site set up to look like a real site, except when I try to log in there is no real site there, just a bad guy collecting user names and passwords.
- Bad guy may be an employee at W, and when nobody is looking he steals the password file.
- W may have a security vulnerability on their website, and bad guy is able to use that vulnerability to break in and steal their password file.
- Bad guy can eavesdrop on my internet connection, and if W does not use encryption, bad guy will able to see what my password is.
In any case, by re-using my password, I have let W’s bad security leak out into my other online accounts. This could be avoided very simply by using a different password on every single website.
Let me repeat: using a different password for each of your accounts means that if anybody steals an account password, you are limiting the damage to that one account and not letting it spread to your other accounts.
What should I do?
The irony of this story is that part of my job is to teach classes on how federal agencies respond to security incidents like this. The government requires security personnel to have a plan in place so that they can act quickly and with confidence. I, however, panicked and did not know what to do.
I didn't have a plan in place, but in the aftermath of this incident, I put together an easy plan for handling a break in like this.
- Change your password immediately.
- Look at your login history to determine if and when somebody else logged into your account.
- Gmail is capable of telling you if another person is currently logged into your account. If you see that the attacker is logged into your account right now, Gmail has a button to force them out. (Look at my login history screenshot above.)
- Review your sent mail folder to see what content was sent out. Verify that nothing private or sensitive was sent to any of your contacts.
- Send a message to the people in your address book to explain to them what happened. Ask them to delete the spam message and not to click on the link contained in the message.
So that’s what to do after something bad happens. Ideally you would never need to do that if you took good precautions. So here are some recommendations on how to avoid this type of break in.
- Use good passwords: totally random; mixed case; letters, numbers and special characters; at least 10 letters long and ideally up to 50 letters long. (You can use a tool like this to help you come up with truly random passwords.)
- Never use the same password for two different accounts.
- Don’t use Internet Explorer ever, for any reason. Use Firefox, Chrome, or Safari.
- Set up your computer to automatically install software updates on a daily basis.
- If you use Windows, install both Anti-virus and Anti-spyware programs on your computer. Set them up to run every night while you’re sleeping, and set them up to automatically update themselves.
Remembering a bunch of really long, random passwords is impossible. I suggest you use a password manager to keep them straight. I personally use a commercial password manager for the Mac called 1Password. (I use it for all of my bank accounts. If I was using it for my Gmail account then this whole problem would have been avoided.) There is also a web-based password manager called Last Pass. And you can find many, many more by searching on Google.
Hopefully somebody will find this story informative and will change their own habits to better protect themselves. I intend to continue writing [shorter] articles on various topics that affect average, non-technical users, such as spyware, viruses, etc. If you have any questions in particular, please leave a comment or send me an e-mail.