1

I have seen an issue where an account has been compromised and someone is routinely emailing out the contents of a google doc to another gmail account. The account password has been changed and the filters have been checked but the emails persist.

The email isn't a spam or chaining email. It targets 1 specific google doc and emails it daily to 1 specific gmail address from the compromised account. The emails also persist even though the password has been changed.

How can an attacker be scripting this and how can the script be interrupted?

Here are the email headers in the sent email:

Delivered-To: myemail@email.com
Received: by 10.140.134.81 with SMTP id 78cs1537032qhg;
    Sun, 22 Mar 2015 23:28:01 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.140.148.68 with SMTP id 65mr73192201qhu.6.1427092081496;
Sun, 22 Mar 2015 23:28:01 -0700 (PDT)
Date: Mon, 23 Mar 2015 06:28:01 +0000
Subject: attacker
From: myemail@email.com
To: attacker@gmail.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
essefbx
  • 172
  • 12
  • 1
    possible duplicate of [Don't understand how my mum's Gmail account was hacked](http://security.stackexchange.com/questions/52115/dont-understand-how-my-mums-gmail-account-was-hacked) – RoraΖ Mar 23 '15 at 16:09
  • It might not be quite a duplicate, but is the link above the type of thing you're referring to? – RoraΖ Mar 23 '15 at 16:10
  • I dont think it's quiet the same - this version isn't a spam chain. It was a directed attack trying to email a gdoc with passwords in it. Also the email sends once a day at 4am. – essefbx Mar 23 '15 at 16:32
  • However I will try to grab the headers and take a look. – essefbx Mar 23 '15 at 16:33
  • I would add more details. To confirm, a single account was compromised. With that compromise a Google Document was downloaded. Now that document is being emailed out to other people. Is the email claiming to be from the compromised account? – RoraΖ Mar 23 '15 at 16:37
  • I've added more details in the question – essefbx Mar 23 '15 at 16:41
  • I assume you've checked the document for embedded scripts? I also assume that you wont be putting documents containing passwords back onto GDocs again - ever? – Julian Knight Mar 23 '15 at 18:05
  • LOL it wasn't me. I'm just helping someone out. My recommendation was to delete the doc. But yeah I think there is something to the embedded script thing. – essefbx Mar 23 '15 at 19:41

1 Answers1

1

Most likely, the attacker has embedded a script in the document or in another document in the same account. Check all of the documents for embedded scripts and make sure there are no stand-alone scripts either.

Also make sure that none of the files have been shared with an external user id.

Then make sure the user turns on 2-factor authentication on their account. Although this can be a bit of a pain, the added security is well worth it when you can loose so much if you loose control of your account.

Julian Knight
  • 7,092
  • 17
  • 23