/mail/community?hl=en
/mail/community?hl=en
7/2/10
Original Poster
bhannemann

Account Hacked from China, Scammer Spammed Entire Contacts List

Hello,
 
Google Team, if you can provide any assistance or would like more information, please contact me.
 
This morning, my Gmail account was hacked from China.  The hacker sent an email to my entire contact list in several batches, at roughly 9:18am EST:
 
(begin message)
hi
I order china Product Apple Laptop
I've received the Product!
this website:Toradeo.com
I believe you will find what you want there and have an good experience
on shopping from them.
Regards!

(end message)
After logging in this morning, I found approx 30 responses, either from friends asking what happened or automated successful or failed delivery messages.  I immediately clicked the "Last account activity" details link, clicked the button that logs out other sessions, and proceeded to change my password.  I noticed among the "Recent activity" that there was an entry from China:
 
Browser   China (115.49.91.53)   9:20 am (19 minutes ago)
 
I have searched for items that may be related to this scam, and have found a couple:
(account was apparently hacked the same as mine, this message is identitcal) http://old.nabble.com/hello-td29052092.html
 
Other than that, this appears to be a fairly new scam.  The site mentioned in the scam message appears to be a Chinese electronics store, which is likely just a scam to get more private information.
 
Some additional details:
- I routinely access my account via IMAP on my Sprint phone.
- On my computers, I have been using Chrome dev channel for the past 3 weeks, but have used mostly Firefox in the past
- I access Gmail from home, running Win7 Ultimate and Enterprise, and at work on WinXP sp2
- My home computers have Microsoft Security Essentials, and at work they are running a version of Symantec.
- My extensions include Adblock, Xmarks, Better Gmail, and RSS Subscriptions.
 
Please use this thread to offer recourse, share experiences that may be related to this one (same IP, same or very similar message, same timeframe), or just to help get the word out about this attack.
 
Thanks,
Brendan
Community content may not be verified or up-to-date. Learn more.
All Replies (32)
Clinty76
7/3/10
Clinty76
My wife had the exact same thing happen to her this afternoon at 3:05pm 

The email went to everyone in her contacts list The weird thing is that their was a new contact in her list "Options(her address)@gmail.com."  All the email that went out were addressed to this, but delivered to her contacts. Here is the email

hello:
I have Order china Product Apple iPad Wi-Fi 32GB
I have received the product!
this web:Toradeo.com
I believe you will find what you want there and have an good experience
on shopping from them.
Regards!

I looked in her recent data and it showed that this accessed her account:

China     115.49.91.53      3:05 pm

I immediately changed her password!
Clinty76
7/3/10
Clinty76
By the way, we're on a Mac using Safari 5.0
N88888
7/3/10
N88888
okay here is what I have.

Domain Name.......... toradeo.com
Creation Date........ 2010-06-04 18:35:45
Registration Date.... 2010-06-04 18:35:45
Expiry Date.......... 2011-06-04 18:35:45
Organisation Name.... lim iao
Organisation Address. henan
Organisation Address.
Organisation Address. henan
Organisation Address. 000000
Organisation Address. HA
Organisation Address. CN

Admin Name........... limiao
Admin Address........ henan
Admin Address........
Admin Address........ henan
Admin Address........ 000000
Admin Address........ HA
Admin Address........ CN
Admin Email.......... cheny@it5.cn
Admin Phone.......... +86.18750229834-8888
Admin Fax............ +86.5925861834

Tech Name............ alice chen
Tech Address......... xiamen
Tech Address.........
Tech Address......... Xiamen
Tech Address......... 361004
Tech Address......... FJ
Tech Address......... CN
Tech Email........... zhanyx@it5.cn
Tech Phone........... +86.2201030
Tech Fax............. +86.5922201030

Bill Name............ alice chen
Bill Address......... xiamen
Bill Address.........
Bill Address......... Xiamen
Bill Address......... 361004
Bill Address......... FJ
Bill Address......... CN
Bill Email........... zhanyx@it5.cn
Bill Phone........... +86.5922201030
Bill Fax............. +86.5922201030
Name Server.......... ns2.dns.com.cn
Name Server.......... ns1.dns.com.cn

N88888
7/3/10
N88888
Just thought of something......I recently used an app on my new nokia touch phone for google mail. It seems to be VERY coincidental that the next day after putting my username and password in it that this happens....??
N88888
7/3/10
N88888
The registrar of the site in question is dns.com.cn/ and they are "A leading mobile Internet service provider" witch only further solidifies my earlier findings.....GOD, I FN HATE PEOPLE LIKE THIS!!!!
7/3/10
Original Poster
bhannemann
Was the Nokia app called Octrotalk?  That was the only app I have used recently on my phone that I have not used in the past.  I used it for a day back in April but deleted it after.
liverpoolfcamerica
7/3/10
liverpoolfcamerica
I too am a victim. I was on the road when this message was sent 'from me'. I have no mobile devices of any kind that access the internet. I immediately changed my password, but somehow I suspect this isn't going to matter.
liverpoolfcamerica
7/3/10
liverpoolfcamerica
This is the IP address the access came from. You can find this by clicking details at the very bottom of your Gmail account where it says Details next to where your last log in activity occurred. This is the entry from China:

Browser China (115.49.91.53) Jul 2 (17 hours ago)

7/3/10
Original Poster
bhannemann
http://googleonlinesecurity.blogspot.com/2010/03/detecting-suspicious-account-activity.html

IMO this really should be taken one step further.  In addition to displaying a message, it should have the option to shutdown access without some other form of verification (such as sending confirmation to a separate email address).  This option would help to prevent access  by geographically foreign attackers, such as what we have experienced here.

I really hope we hear from Google on this because it appears this particular hacker is still on the prowl.
liverpoolfcamerica
7/3/10
liverpoolfcamerica
It might be a pain but worth it in the bigger picture...adding a screen where the sign in user has to type in a 'match' verification to some text being shown in a box would really help with this also I think.
21 MORE
ArniGeir
1/26/11
ArniGeir
The same hacker (hn.kd.my.adsl)  compromised my gmail this morning and sent out spam mail to all my contacts.   I'm just furious to hear that this same individual (it seems) is doing the same thing over and over again.   Ive not been using other devices than my own laptop to access the gmail website but in my case I suspect XSS or similar attack (try google XSS).  Anyway, I'm reviewing all my security defenses.   Not logging in or have a Gmail session while browsing sites that are likely to be XSS vulnerable (all sites that accept and display submitted customer/user content), change the password regularly etc etc.    Guess I'm becoming a bit paranoid :-)






Were these replies helpful?
How can we improve them?
 
This question is locked and replying has been disabled. Still have questions? Ask the Help Community.

Badges

Some community members might have badges that indicate their identity or level of participation in a community.

 
Expert - Google Employee — Googler guides and community managers
 
Expert - Community Specialist — Google partners who share their expertise
 
Expert - Gold — Trusted members who are knowledgeable and active contributors
 
Expert - Platinum — Seasoned members who contribute beyond providing help through mentoring, creating content, and more
 
Expert - Alumni — Past members who are no longer active, but were previously recognized for their helpfulness
 
Expert - Silver — New members who are developing their product knowledge
Community content may not be verified or up-to-date. Learn more.

Levels

Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

  • Post an answer.
  • Having your answer selected as the best answer.
  • Having your post rated as helpful.
  • Vote up a post.
  • Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Report abuse in forum?

This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.