(OT) Gmail Account Hacked - what else should I do?

Matthew Crews mattcrews at mattcrews.com
Mon Jan 16 15:37:57 MST 2017 

I'll start with the obvious.

1. Change her password. Use something fairly complex and UNIQUE, do not
reuse an existing password.

1a. Download a password manager and change ALL passwords. I would ALMOST
recommend using this for Google, but Google is one of those services you
need to memorize the password for.

2. Enable 2FA. I presume you are using a cell phone that has text messaging
support. Enable 2 factor authentication with her Google account, either
with SMS or with their authentication app.

3. Enable 2FA. Seriously, if a service has that option, use it

4. Install some virus scanners and look for malware. The most likely reason
her account was hacked, besides password reuse, is a drive-by malware
install from web advertising.

4a. A full reformat of her PC is recommended. I would use a Linux tool like
DD or Shred to completely wipe the HD, boot sector included.

5. Fully update her system. This includes OS updates, software updates,
driver updates, etc.

6. install ad-block or similar software, and/or uninstall Flash and Java,
to limit or eliminate this attack vecto

7. If your wife is not tech savvy, now would be a good opportunity to teach
her general safe practices for surfing the web.

8. Don't exclude the possibility of malware on her smart phone, if she has
one. If it's an old Android or iOS phone that no longer received OS
updates, I recommend tossing it and buy something that receives them still.

Those are the basics.

On Mon, Jan 16, 2017, 15:25 Mark Phillips <mark at phillipsmarketing.biz>
wrote:

> Some missing information - her PC runs Windows, and she only accesses
> gmail through her browser.
>
> Mark
>
> On Mon, Jan 16, 2017 at 3:23 PM, Mark Phillips <mark at phillipsmarketing.biz
> > wrote:
>
> It looks as if my wife's gmail account was hacked on Jan 9, and I want to
> see if there is anything else we have to do to clean up the mess.
>
> 1. She stopped getting any email on Thursday in this account. We tracked
> it down to a filter that sent all incoming email to Trash. We deleted the
> filter.
>
> 2. A little more digging, and we found a suspicious login from NY on Jan
> 9. She swears she was not in NY on that day....and, absent any proof to the
> contrary, I believe her. ;)
>
> 3. There was a Google Brand account attached to her gmail account, which
> we deleted. No idea what that is.
>
> 4. There are several delivery failure emails in her Trash folder like this
> one:
> Address not found
> Your message wasn't delivered because the domain houston.rr.com couldn't
> be found. Check for typos or unnecessary spaces and try again.
> The response from the remote server was:
> DNS Error: 10339950 DNS type 'mx' lookup of houston.rr.com responded with
> code NOERROR 10339950 DNS type 'aaaa' lookup of
> cdptpa-smtpin01.houston.rr.com. responded with code NXDOMAIN 10339950 DNS
> type 'a' lookup of cdptpa-smtpin01.houston.rr.com. responded with code
> NXDOMAIN
>
>
> Final-Recipient: rfc822; jham003 at houston.rr.com
> Action: failed
> Status: 4.0.0
> Diagnostic-Code: smtp; DNS Error: 10339950 DNS type 'mx' lookup of
> houston.rr.com responded with code NOERROR
>  10339950 DNS type 'aaaa' lookup of cdptpa-smtpin01.houston.rr.com.
> responded with code NXDOMAIN
>  10339950 DNS type 'a' lookup of cdptpa-smtpin01.houston.rr.com.
> responded with code NXDOMAIN
> Last-Attempt-Date: Sat, 14 Jan 2017 14:09:54 -0800 (PST)
>
>
> ---------- Forwarded message ----------
> From: Steven Walls <allison at phillipsoasis.com>
> To: Steven Walls <wallssteven1 at adsolutionpro.us>
> Cc:
> Date: Wed, 11 Jan 2017 15:21:41 -0500
> Subject: Apple Inc. is Hiring with an Attractive Pay!!!
> Need weekly pay for driving your car?
>
> Make $ 400 every week for having an AD of Apple Inc. attached to you car
> while you drive.
>
> Reply to find out more.
>
>
> Steven Walls
>
> I assume Mr Walls is the hacker (or his/her alias) and was using her
> account to send out spam emails. We have changed her password to something
> a little more obtuse than what she was using....Will have to get her set up
> with LastPass to keep her honest with her passwords.
>
> Anything else we should do?
>
> Thanks!
>
> Mark
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20170116/fe3c24ab/attachment.html>

More information about the PLUG-discuss mailing list