0

I'm reasonably technically competent, but I don't know how to interpret this PC issue. As its a real-world incident, there's some back-story.

I'm in the UK. The suspect PC runs Win8.1 up to date, used for simple desktop stuff by a family member. There are about 4 other PCs, all pretty much identically built, on the same LAN, behind an OPNSense (pfSense fork) router.

  1. About 5th March 2020, the family member asked me to look at their PC. A bunch of 4 or 5 remote usage softwares had been installed within a 10 minute period from original downloads (github or author's DL pages) - AnyVPN, TeamViewer etc - clearly from some phishing link. First time in many years, the family member is pretty good. There wasn't any sign of actual damage - none of the SW was connected, but it could have been a false trail with a different malware less visible. I took the disk from that system offline, connected it to a "known good" PC and scanned with Kaspersky. Nothing. Apparently clean. But even so, I deleted and installed a complete clean new system and software on that PC, to ensure it was clean.
     
  2. On 30 April, the relative reported being locked out of their email for the last 2 days. Email for them is Outlook 2010 + Gmail + IMAP, with a long hard password. (They also use an android app for email when away from home, but with Corona lockdown haven't been out.) Google Web UI reported account lockout due to a suspect login attempt from some IP address in Holland. But it didnt provide a list of actual logins to check for actual breach (too many days/logins ago). I wondered if this might be his mobile email, using Vodafone European IP in Holland or something, but the IP wasnt a telco. Google reported a POW change but the relative had also tried different PWs to try and log in before telling me. I changed the password myself to be sure, more because Google insisted than because I thought the hard password was guessed. So admittedly I changed it lazily (suffixed old PW with "1" to keep it easy for them). No further issues....
     
  3. Today he reported he has been locked out of his email again. Same kind of thing. French IP this time (185.93.2.181), attempted on 12 May (says Google) to login using his new PW and was blocked as a precaution. This time there is history - but the only successful logins are our home IP address. IP doesnt seem to mean anything, doesnt seem to be a Tor exit.

So I'm unclear how to interpret. This is as far as I can work it out:

  • The PC's disk was wiped. Other systems on the LAN arent showing mysetrious Google security events. The original phish installed official (digital sig/official DL site) software. So it doesn't seem likely that overt or covert malicious stuff persisted from the 5 March event.

  • On 2 subsequent occasions, Google reports security issues with an attempted login from Dutch (28 April) and French (12 May) IPs. The addresses don't mean anything to me. They aren't mobile or Tor either, apparently. There doesn't seem to be actual breaches. I can't tell if a password was taken or not, because I don't know whether it was used or my relative did it, but I changed the password anyway.

  • The current (3rd) event is worrying. After the 2nd event when I changed the PW, I would expect that put an end to any issues with unaccounted logins, but it didn't. No other machine here has had such logins. But the changed PW after the 2nd attempt was one I myself set via the browser on a clean OS. If that's not it, then what is Google alerting on? Was there even a breach at all after the March incident, and is Google being over-cautious? Could it be something silly like his mobile phone provider's EU IP? I don't see clearly.

So Im not sure at all, what to make of it, which limits what responses to choose......

ideas?

Update:

As suggested by @schroeder, I checked GMail itself. The relative's email should be mutually shared by/delegable to/usable by one other user, his wife.

On his account, no other delegated users are shown (I'm not 100% sure if there could be other ways to login via Google, I might need guidance what to check), and the recovery details are unchanged and the recovery email is almost certainly unbreached (almost never logged in, credentials known to me only and not online).

I then checked his wife's account, in case she's the backdoor. No unexpected delegation on hers, no evidence of logins from unexpected places, no evidence of Google Security alert hiostory or emails (although they could have been wiped), no sign of a breach in Google Account security or recent logins. Also usually she's more careful than he is, and the March phishing attack was his machine not hers.

Does this exclude a GMail related intrusion or are there other things I should check? I'm not that familiar with GMail security but it seems straightforward...?

Stilez
  • 1,664
  • 8
  • 13
  • 2
    Your very first statement: "A bunch of 4 or 5 remote usage softwares had been installed" -- that's all you need to know. You don't need malware if normal programs offer access to your online accounts. – schroeder May 14 '20 at 14:48
  • Check the google account for associated emails or connected accounts. This is not a machine-level or a PC issue. This is a Google Account level issue. Remember that technology is a stack. One can enter the flow at any point in the stack, not just at the hardware level. – schroeder May 14 '20 at 14:50
  • @Schroeder - on your first comment, none of them were set up, the system disk was wiped on a different machine and reinstalled, and the gmail account PW changed subsequently. The recovery account and methods were never changed or affected (they're my recovery accounts and are never logged in, nor stored, on any system here). So if someone's getting in now, after that, then what are they using to do so? I'll check for connected account issues shortly, but none were notified. – Stilez May 14 '20 at 15:05
  • Your comment changes significant details, and I'm not sure you understood my comments. ... Were the remote access tools installed or not? It doesn't matter where you wiped the drives. **You** might not have changed anything in the google accounts, and **you** might not have logged in, but did the attacker add their own account? You are seeing this as an infected device scenario where someone is getting the password. There are ***other*** possibilities that do not require the device. Step 1: verify the account details, security, and recovery options. Step 1 is not to look at the hardware. – schroeder May 14 '20 at 15:10
  • @Schroeder - Gmail updated in OP. I can't see anything, but is there more I should check? – Stilez May 15 '20 at 22:49
  • 185.93.2.181 is a server running on the service provider "datapacket.com" ("a dedicated service provider with data centers in 23 locations worldwide"). 185.93.2.181 server has ssh and smtp ports open. I dont know much about this datapacket.com provider, but they do have a "Contact" link on their webpage at www.datapacket.com... maybe you could try to contact them and let them know there's a suspicious server... probably won't help you much, but at least it is something to do. – hft May 15 '20 at 23:25
  • Its listed on 2 blacklists, both active around the time of the suspect login. Clear on all others, but those 2 are enough to say its probably not a benign hint. But I checked Google sharing (I think) and what am I *still* missing? (Schroeder- remote tools were bare- installed but all apparently unmodified and still.digitally signed, from official DL pages with no evidence of them being configured properly to work?) – Stilez May 16 '20 at 06:04
  • It wasn't entirely clear for me whether the attempted logins were attempts that would have succeeded since they used the correct password or if they were just brute forcing attempts. This is important context. If the correct password was used, you don't need to keep guessing, the passwords are being taken somehow. Start from the top and rethink the entire approach to storing passwords. Reset everything, reinstall the OS from scratch, change all passwords, enable 2FA. – Pedro May 18 '20 at 10:12

0 Answers0