Google report Gmail problem as phishing
One year after my domain name was stolen, Google’s Chris Evans has published a blog article reporting the theft as a phishing scheme, whereby the victim is tricked into sharing their email login details.
Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed worldwide within 24 hours of private disclosure of the bug details. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft.
I’m sure Chris meant November.
Google’s blog post came in response to the more recent theft of MakeUseOf.com. Aibek, the MakeUseOf owner, has subsequently, and thankfully, had his domain name returned.
I like to think I’m cautious enough not to open a strange .exe email attachment, nor enter my login details on a fake website, but if that’s what happened, so be it.
I do, however, find it a little odd that a thief would gain access to my Gmail account, then choose to add email forwarding filters rather than simply change my password, thus locking me out. I published what I believed happened in my previous Gmail hack article.
Regardless, I’m glad Aibek of MakeUsOf had his domain name returned, and that Google have publicly acknowledged the previous Gmail CSRF vulnerability, even if it is over a year after the incident.
Aibek and I are two of the lucky ones. Many other domain theft victims contact me asking for help. Sadly, there’s little I can do except refer them to my account of what happened.
Related posts
18 appreciated comments on “Google report Gmail problem as phishing”
Anything to add?
All comments are moderated so you may experience a short delay before yours appears. Comments should be respectful of other voices in the discussion, and I reserve the right to edit or delete comments at my discretion.
Please use your real name. Keywords will be removed.
I always find it staggering to see the 547 comments left on that article of yours especially when it comes up under your related posts section. I can’t believe it happened at such a bad time for you as well. But as always thanks for sharing, I am sure many people have and will check their filters more frequently.
You know this is scary stuff!
I think I’d puke if my site was hacked. You’ve given us some great advice including the advice about using images/myimage.jpg instead of http://www.davidairey.co.uk/images/myimage.jpg
I am also doing the full domain, and you’ve made me realise thank you, that this yes is flawed and doesn’t prepare for the possible need for a domain name change.
Jacob,
The support received was fantastic. A great testament to the power of community. I certainly check my filters more frequently.
Amanda,
There’s a negative aspect to using only the image directory i.e. without the main domain, and it involves web traffic from image searches. I’ve actually re-added most of the full code to my images (a painstaking task) in order to boost those visits. Pros and cons though.
Really? Because I get tons of traffic from image searches anyway, I must be doing something else wrong! :)
Your experience was truly illuminating in SO many ways. I find it amusing that a year later, Google is saying “No our fault!”
They say wisdom is learning from someone else’s experience so I’d like to personally thank you for sharing what happened. It’s truly changed the way I handle my own domain registration information issues as well as how I work with clients.
When you Tweeted about this Gmail thing last week, I was questioning it because I’m sure you’re a savvy web/email user, David. I can’t imagine you being suckered into giving out your login information like that. And it’s quite curious why it took Google so long to address the issue… seems fishy (no pun intended).
Regarding the images/myimage.jpg thing, I think WP automatically adds the rest of your domain in there. It’s like with linking. If you don’t put the http:// in there first, WP automatically affixes http://yourdomain.com to the beginning. Ever see those links that go http://yourdomain.comwww.linktoanothersite.com? That’s what’s happening. I believe it’s the same with images, no?
I think that large organisations like ebay, paypal, etc should try to do more to make it harder for people to be tricked in to giving away details they shouldn’t. The situation will only get worse as time goes on unless an intelligent solution is presented. I once received an e-mail from a fake paypal site and the sneaky crooks had recreated the homepage of paypal exactly as it is to try and get people’s details. I was very impressed by this but at the same time horrified. I reported the site but am sure they will just set up another one. The best advice I received was to never click on an e-mail link to get to a site, instead type the url directly into your browser.
Amanda,
Haha. I’m sure you’re doing lots right. Perhaps I’ve been wrong to go re-adding all those http://www.davidairey.com lines before my /image/image.jpg code. Due to the time it took, however, I’m sticking with the opposite.
Kathy,
I think quite a few others found the documenting of my experience beneficial, which is great. I’m curious how it affected your client practices.
Lauren,
It is quite phishy ;) even though I can’t rule out the idea I was tricked. I hope not, but it is possible.
Not 100% sure about those image links. Maybe there was another reason why I re-added the full code, such as images not showing in RSS feeds. Hmmm. Can’t remember now.
bubble,
I’m sure there are steps that can be taken to improve security in GMail. For instance, you could have to re-enter your password before applying filters to the account, which would prevent cross-browser script attacks. That said, they’re apparently all fixed now.
Hmm, scarey stuff, especially when your entire livelihood is tied into your website(s), I don’t know what I would do if I was to lose control of my email, domains or PayPal account – it would pretty much be the end of the world for me, or at least for my career.
Don’t know how to say this – congrats on the link from Google Blog – pretty bad a**
Hope nothing like this happens again
Scary stuff indeed. I think the internet is quite scary though when you rely on it for income… there is always going to be an element of lack of control when it comes to SEO. Google + others only need to change things and so may peoples world is suddenly turned upside down.
Thanks David, your story as well as the others has made me think twice about where and how I check my email, as well as other secure actions.
Hi , I just received this e-mail .. please let me know if it is fake ..unfortunally I’d reply but only send my name and address , not date of birth or other details.. :
Dear Sir/Madam,
This mail is to notify you have been selected as a winner to receive the sum of £850,000 British Pounds in our on-going Google anniversary lotto draws.
Your email address was attached to the following winning numbers that made you one of our lucky winners for this year draw :Ticket number: 00869575733664, CGPN:7-22-71-00-66-12,Serial
numbers:BTD/8070447706/06,Lucky numbers:12-12-23-35-40-41(12).
For more info/ how to claim your prize,contact the processing agent (Mr. Grahams Benfield) with the email addresses below by sending your winning numbers,full names, sex and location.
Agent E-mail(s):grahamsbenfield.agent@gmail.com,grahams.benfield@thedotmail.com
Wishing you goodluck as you’ll spend your fortune!!
Sincerely,
Mr. Petersen, Promo Coordinator
Too good to be true, Francesca.
I received that email too from Google UK. I followed all the steps until the payment part. They sent me a certificate and everything seemed so official. That Mr. Grahams Benfield will direct you to an APC Courier agent. And you will have to fill out forms again. Eventually the APC agent will send you an email saying that they will call your phone immediately. I received a call from an unknown number.. the person speaking was unclear. He seemed to have a strange accent… a mix between Indian and British? Also the phone line was quite fuzzy. Everything until this phone call seemed to legit. I almost fell for it. But, the last procedure is to actually send out a money transfer through Western Union. I chose the Normal Delivery Option which cost £391.00 GBP because of insurance and other fees. This totals around $630. I was so close to falling completely for this scam. I was smart at the last minute (thank goodness!) and checked around online. This is DEFINITELY a scam. Also, this scammer is VERY good. WARNINGS TO ALL!
Hi David!
I ran into your blog during a perusal of Matt Mullenweg’s blog and ended up reading several articles/posts you wrote, including the ones related to the whole Gmail + phishing + domain craziness issue.
Firstly, I am incredibly sorry to hear that you had to endure something like that; what an immense invasion of privacy for sure, but I am so glad that you got things taken care of.
Secondly, I know I’m coming in super late to the conversation, but I wanted to offer a piece of my own experience in regards to someone managing to ‘crack’ me (though not in the same manner) and how they might have done it.
Perhaps it might offer some insight into how such situations can be avoided in the future or at least provide some sort of reassurance or warning that these things can happen even when one is being careful – who knows.
Unlike what a lot of people have been suggesting about how you might have acquired a keylogger through unsafe browsing or emailing habits, I am suggesting that you might have gotten exposed to an exploit through ‘friendly’ means – eg: through a friendly, trusted website.
You’re an artist, so you are probably familiar with art sites like deviantArt.
I used dA for years (up until the last two years) and it was one of my most ‘trusted’ websites where I browsed with little to no fear of my computer being exploited.
And then one night about two years ago, my best friend sent me a dA link to someone’s artwork and after I clicked on the link as a logged-out/guest user, BAM.
That is how I got the worm/virus/keylogger/whatever it was onto my computer.
How?
If you are familiar with dA then you know how dA puts up advertisements on their site if you are only a basic member or if you are not logged into the site.
The ad is how I got my computer bug. The site (dA) was friendly enough, but the ads at that particular moment were malicious.
No questions about it because my antivirus caught it immediately almost right after I opened the site, but the damage was already being done.
I had SSH open because I was doing work and I promptly got a second virus/bug warning from my antivirus saying that my SSH was now corrupted with a backdoor Trojan hack of some sort and the account I was using was compromised thereafter, which of course indirectly compromised my other accounts as well along with my main account with my hosting provider.
Additionally, I started seeing popups everywhere on my web browser directing me to anti virus software and my OS was starting to glitch here and there.
Thankfully, the damage done was minimal compared to your situation.
Where my domains DID get hacked into and I DID lose control over the domain I was attending to at the time and got various viral marketing ploys inserted into the coding of various domains I was managing, I managed to get in touch with my web host right away and with their help, I was able to prevent further damage beyond that.
After a massive disk wipe of my computer and resetting passwords to EVERYTHING and being a little more ‘wise’ for the wear, things were back to normal except for one thing.
I never have gone back to dA if I could help it and I have become a lot more wary of ‘trusted’ sites – especially if they run adverts.
So anyways, I guess why I’m sharing what I did is to say that I fully believe that it IS possible to be exploited by a ‘friendly’ site – after all, I was.
Granted, it was the adverts and not the site itself, but the site was running said adverts, so…
Yeah.
Happy 2010 to you and may you never experience such a thing again!
Thanks for sharing your work!
Good of you to share your story about deviantArt. I don’t visit the site often at all, but from time to time someone will want me to look at work there, and as you know only too well, one visit is all it takes. Happy 2010 to you, too.
@EMG, David and others:
If you’re using the Firefox web browser (or the SeaMonkey suite), NoScript (http://www.noscript.net/) will do exactly what you want; allow you to choose on a per-domain basis which sites you wish to trust, with the default behaviour being to automatically distrust all new websites, and also distrust third-party content which is loaded into trusted sites.
A nice side-effect of this is that you don’t need to run an ad blocker – after right-clicking and blocking images from doubleclick.net and 3 or 4 others (after a new install of firefox), I rarely ever see any more ads since the vast majority of them either are served by those Big Few, or are loaded using scripts.
The primary benefit of NoScript, however, is the added security, as detailed on the main NoScript site. Sure, there’s always the *possibility* that you could get taken in by a malicious program that you actually have to download and execute manually, but there are solutions for that as well… *cough*Sandboxie*cough* ;)
Dennis O’Reilly of CNet.com put it well:
“Giorgio Maone’s NoScript script-blocking plug-in (donationware) is the one-and-only Firefox add-on I consider mandatory. The program lets you block scripts on a site-by-site and source-by-source basis.”
(http://news.cnet.com/8301-13880_3-20046108-68.html)
Ironically, NoScript does include Anti-Cross-Site-Scripting measures which would have prevented the method of attack which you (David) believe to have precipitated the takeover of your online presence, regardless of whether or not the attacking site was marked as ‘trusted’. In such a situation, NoScript shows a bar like this:
http://software.informaction.com/data/noscript/ss-xss0s.png
It’s one of those extensions which does more than you thought you needed (and helps you avoid that sunken feeling of disappointment and anger when you realise your browser just bent over and let in something nasty); my only post-install suggestions would be go to Options> Notifications and untick the ‘Show message about blocked scripts’ box, since it can get annoying having that bar show up on basically every site, and doing the same for the ‘Show release notes on updates’ option, since this is easily the most often updated add-on out of the 20 or so that I employ – a good thing when it comes to security enhancements! The relevant Options screen is accessible through the menu that comes up when you right-click NoScript’s button in the status bar or anywhere else.
I feel I’m rambling a lot, so I’ll end it there. Thanks for your blog posts detailing your unfortunate foray in the world of domain hijacking, they were an interesting read!
Regards,
- Matthew