GMail Hack with 2-Factor Auth enabled

Question

I have my business email on GMail. I use 2-factor authentication for access to said business email. I access my business email from 2 computers and 1 mobile Android device. I do not use Outlook or any email client I access it solely through the web browser. I run Webroot AV on both computers and have run MalwareBytes, Hitman Pro and Sophos Virus Removal tool with 0 hits on all.

Yesterday, spoofed emails of my business email account originating from all over the world were sent out to my customers with an attached, password protected file that was a virus. In itself this is not unusual, however, each of the emails was a actual reply from a valid email I had received previously. I immediately looked at my google account settings and verified 2-factor auth, I looked at the devices that were using my email and could verify each one. I could find no proof that someone had gained access to my email other than myself.

Does anyone have any suggestions on where I should look for this breach? I am at a loss and dreading a second round of emails going out.

It's possible that the spoofer simply spoofed your name and email address as the sender, and sent the messages through some SMTP server other than GMail's. You may want to look at the headers of one of the spoofed messages, and see if it was sent through GMail's servers or not. — mti2935, Oct 26 '19 at 18:04
I have seen the header information and it is indeed spoofed. The part that scares me is that it was sent as a reply to an actual email I had received previously. I am stumped to how they could have gotten my emails to reply to. — PLBarton, Oct 26 '19 at 18:09
*"each of the emails was a actual reply from a valid email I had received previously."* - This does not mean that you are the only one who knew this mail. At least the sender of the original mail knew it. And maybe there were more recipients (maybe invisible to you, i.e. Bcc). — Steffen Ullrich, Oct 26 '19 at 18:34
I considered that, but this went out to many people and they had no connection to one another except for me. — PLBarton, Oct 26 '19 at 18:36
@PLBarton: in this case maybe one of the computers you use to access the mail got hacked. For example the attacker might have achieved remote access to your desktop and could thus misuse an existing authenticated session to access your mail. Have you also checked from where the last logins where done and made sure that this was all you? — Steffen Ullrich, Oct 26 '19 at 18:39
I only access my email from my work laptop and my home desktop. I have checked the google account page and where all I have logged in and it has all been from areas I am familiar with. However, I have asked the individual who owns the admin console access to preform a login audit for my account to see anything there. — PLBarton, Oct 26 '19 at 18:46
This looks like emotet behavior. Did you previously open a similar email that contained an Office document that "needed" to enable the content? — Ángel, Oct 28 '19 at 01:47
Have you implemented either of these controls: DKIM > https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/ & https://support.google.com/a/answer/174124?hl=en SPF > https://en.wikipedia.org/wiki/Sender_Policy_Framework & https://support.google.com/a/answer/33786?hl=en — Ed Daniel, Oct 28 '19 at 10:09
@PLBarton I think the missing details are important. You say that they are "spoofed" but then say that they are a reply. I think you need to edit your question with the actual email flow from the headers. If there is no strange account access and you use 2FA, then this might simply be a misinterpretation of the headers and no one accessed your account. — schroeder, Oct 28 '19 at 10:47
Here is a look at the details that I received from my work email to my personal yahoo.com email. It shows that the email originated from Australia and if you scroll down and see the email content you will see if was a reply to an email I had sent myself. https://pastebin.com/vWSGkuz6 — PLBarton, Oct 28 '19 at 13:42
From the headers that you posted, it looks like the spoofed message originated from 80.151.125.92 (which reverses to p50977d5c.dip0.t-ipconnect.de), and the spoofed message was sent using performa.net's outgoing SMTP server mrelay.perfora.net, (possibly using the username mreueus004 to authenticate). — mti2935, Oct 28 '19 at 15:05
Being that this message was not sent through GMail's outgoing SMTP service, and that you are not seeing any unrecognized logins to your Gmail account in the access history in your Gmail account, I think it's safe to say that there is no indication that your GMail account was breached. However, the question still remains as to how the spoofer was able to gain access to messages that you have sent previously, and how the spoofer has the email addresses of your contacts. — mti2935, Oct 28 '19 at 15:06
@Schroeder - hence the links to the gmail support regarding how to implement DKIM and SPF for a domain, I think it was fair to assume 'business' email meant a company domain over gmail transport, if OP is using vanilla gmail it's a whole other load of bother. — Ed Daniel, Oct 28 '19 at 16:09
After checking our domain we actually had 2 SPF files, which I know is incorrect. I am not sure how that would be interpreted by receiving servers. I have corrected that and now have just one SPF file. We have not implemented a DKIM nor DMARC file yet, but that is the next step for us. — PLBarton, Oct 28 '19 at 17:30
Setting up SPF and DKIM correctly should help as far as directing recipients' mail providers to treat these spoofed messages as spam. However, the question remains open as to how the content of messages that you've sent previously, and your contacts' email addresses, are leaking. — mti2935, Oct 30 '19 at 13:55
See this: https://support.google.com/mail/thread/17720575?hl=en in particular check apps with access to your gmail: https://support.google.com/accounts/answer/3466521?hl=en — pcalkins, Oct 19 '20 at 22:13

score 1 · Answer 1 · edited Oct 28 '19 at 12:08

1

It seems that someone remotely logged into one of your 2FA-authenticated devices and accessed your received email while your token was still valid.

Either way, it's unfortunate you have to deal with it.

Maybe implement a protocol of always logging out of the browser at least on the PC's and use a password generator to copy/paste your new password just in case there is a keylogger.

edited Oct 28 '19 at 12:08

schroeder

123,438
55
284
319

answered Oct 28 '19 at 10:55

Preston Bennett

613
1
5
10

1

Without knowing for the source of the problem, this sounds like a security step that has a high cost with dubious benefit. Logging out when not using the browser is only a mild pain, but may be completely pointless if an attacker can just wait until they are logged in (which they probably are plenty of the time anyway). Likewise, copy and past may help against a hardware keylogger but depending on how the system is compromised, a software keylogger may be equally as capable of stealing clipboard contents (and most probably do anyway). – Conor Mancone Oct 28 '19 at 14:10
@ConorMancone Thanks for the further insight into how deep the intrusion goes. Maybe utilize a third-party clipboard utility after disabling the OS clipboard service. More than likely a "clean" install is in order after vetting your files. Be sure to implement a kill-switched VPN such as PIA at all times to further reduce your chance of intrusion exponentially. – Preston Bennett Aug 18 '20 at 23:37

score 0 · Answer 2 · answered Oct 26 '19 at 23:26

0

Yes if a malware implements MITB which is pretty common U2F and 2FA aren't even factors to the attacker.. You can even do this in modern browser sandboxes

answered Oct 26 '19 at 23:26

user1276423

101
1

As I understand it, MITB is not a new thing and from what I read primarily affects IE and Firefox while I am exclusively using Chrome. The one variant of MITB I find that affects Chrome was relevant in 2012 and has been protected against for awhile now. The information I have is just from google searches and not personal experience. – PLBarton Oct 27 '19 at 15:58
chrome.exe isn't hardened against DLL injection or static lib hooking.. TLS and HTTP buffer inline hooking is publicly documented for Chrome – user1276423 Oct 28 '19 at 15:03

GMail Hack with 2-Factor Auth enabled

2 Answers2