(OT) Gmail Account Hacked - what else should I do?

Stephen Partington cryptworks at gmail.com
Mon Jan 16 17:35:21 MST 2017 

2 factor authentication is a huge step to protecting your account. PS take
a picture of the QR code and save the code to type in. Can help in
authenticator recovery


On Mon, Jan 16, 2017 at 3:37 PM, Matthew Crews <mattcrews at mattcrews.com>
wrote:

> I'll start with the obvious.
>
> 1. Change her password. Use something fairly complex and UNIQUE, do not
> reuse an existing password.
>
> 1a. Download a password manager and change ALL passwords. I would ALMOST
> recommend using this for Google, but Google is one of those services you
> need to memorize the password for.
>
> 2. Enable 2FA. I presume you are using a cell phone that has text
> messaging support. Enable 2 factor authentication with her Google account,
> either with SMS or with their authentication app.
>
> 3. Enable 2FA. Seriously, if a service has that option, use it
>
> 4. Install some virus scanners and look for malware. The most likely
> reason her account was hacked, besides password reuse, is a drive-by
> malware install from web advertising.
>
> 4a. A full reformat of her PC is recommended. I would use a Linux tool
> like DD or Shred to completely wipe the HD, boot sector included.
>
> 5. Fully update her system. This includes OS updates, software updates,
> driver updates, etc.
>
> 6. install ad-block or similar software, and/or uninstall Flash and Java,
> to limit or eliminate this attack vecto
>
> 7. If your wife is not tech savvy, now would be a good opportunity to
> teach her general safe practices for surfing the web.
>
> 8. Don't exclude the possibility of malware on her smart phone, if she has
> one. If it's an old Android or iOS phone that no longer received OS
> updates, I recommend tossing it and buy something that receives them still.
>
> Those are the basics.
>
> On Mon, Jan 16, 2017, 15:25 Mark Phillips <mark at phillipsmarketing.biz>
> wrote:
>
>> Some missing information - her PC runs Windows, and she only accesses
>> gmail through her browser.
>>
>> Mark
>>
>> On Mon, Jan 16, 2017 at 3:23 PM, Mark Phillips <
>> mark at phillipsmarketing.biz> wrote:
>>
>> It looks as if my wife's gmail account was hacked on Jan 9, and I want to
>> see if there is anything else we have to do to clean up the mess.
>>
>> 1. She stopped getting any email on Thursday in this account. We tracked
>> it down to a filter that sent all incoming email to Trash. We deleted the
>> filter.
>>
>> 2. A little more digging, and we found a suspicious login from NY on Jan
>> 9. She swears she was not in NY on that day....and, absent any proof to the
>> contrary, I believe her. ;)
>>
>> 3. There was a Google Brand account attached to her gmail account, which
>> we deleted. No idea what that is.
>>
>> 4. There are several delivery failure emails in her Trash folder like
>> this one:
>> Address not found
>> Your message wasn't delivered because the domain houston.rr.com couldn't
>> be found. Check for typos or unnecessary spaces and try again.
>> The response from the remote server was:
>> DNS Error: 10339950 DNS type 'mx' lookup of houston.rr.com responded
>> with code NOERROR 10339950 DNS type 'aaaa' lookup of
>> cdptpa-smtpin01.houston.rr.com. responded with code NXDOMAIN 10339950
>> DNS type 'a' lookup of cdptpa-smtpin01.houston.rr.com. responded with
>> code NXDOMAIN
>>
>>
>> Final-Recipient: rfc822; jham003 at houston.rr.com
>> Action: failed
>> Status: 4.0.0
>> Diagnostic-Code: smtp; DNS Error: 10339950 DNS type 'mx' lookup of
>> houston.rr.com responded with code NOERROR
>>  10339950 DNS type 'aaaa' lookup of cdptpa-smtpin01.houston.rr.com.
>> responded with code NXDOMAIN
>>  10339950 DNS type 'a' lookup of cdptpa-smtpin01.houston.rr.com.
>> responded with code NXDOMAIN
>> Last-Attempt-Date: Sat, 14 Jan 2017 14:09:54 -0800 (PST)
>>
>>
>> ---------- Forwarded message ----------
>> From: Steven Walls <allison at phillipsoasis.com>
>> To: Steven Walls <wallssteven1 at adsolutionpro.us>
>> Cc:
>> Date: Wed, 11 Jan 2017 15:21:41 -0500
>> Subject: Apple Inc. is Hiring with an Attractive Pay!!!
>> Need weekly pay for driving your car?
>>
>> Make $ 400 every week for having an AD of Apple Inc. attached to you car
>> while you drive.
>>
>> Reply to find out more.
>>
>>
>> Steven Walls
>>
>> I assume Mr Walls is the hacker (or his/her alias) and was using her
>> account to send out spam emails. We have changed her password to something
>> a little more obtuse than what she was using....Will have to get her set up
>> with LastPass to keep her honest with her passwords.
>>
>> Anything else we should do?
>>
>> Thanks!
>>
>> Mark
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



-- 
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20170116/bd8a4053/attachment.html>

More information about the PLUG-discuss mailing list