Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Compromised Email Account
Old 01-23-2012, 06:22 PM   #1
Thinks s/he gets paid by the post
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 2,446
Compromised Email Account

This is long but I really need suggestions.

My main email webmail was compromised and I'm trying to figure out what happened and if I need to do anything more to make certain I don't have a keylogger on my computer. Here is the situation:

For years my main email has been one I set up using my own domain. That is, let's say my domain was fubar.com (it isn't -- just using it for example). My domain is hosted at godaddy. I don't use fubar.com for anything other than a domain name for my email. Through godaddy I have email set up and godaddy provides webmail if I want to long onto my email account on the internet. In practice, I very rarely use the webmail. I have a master email account at gmail and have my fubar.com email forwarded to gmail and I send mail from fubar.com using my gmail account. So I hardly ever log into the webmail account (maybe once a month or so when I want to get a confirmation or something that I don't want to wait for it to be forwarded to gmail).

So -- several weeks ago I found that emails to fubar.com were being returned as undeliverable. I tried to log into the webmail and couldn't and ended up deleting the mailbox (through godaddy) and setting up the account again. Everything seemed to work.

Then yesterday the same thing happened. This time I called godaddy who had me...delete the mailbox and set up back up. The tech support guy sent me a test email and asked me to respond to it.

When I did the response popped us as not being from my actual email but from some other email and the response had a canned signature that was a Nigerian scam letter. I then looked at the webmail and realized someone had actually been logged in on the webmail and had created another identity to send emails using my account. I checked the login info and saw someone in Nigeria had logged in 2 days earlier and had sent out 100 or so scam emails. I also realized the same thing had happened a couple of days before the last time the email went down.

Obviously the issue for me is how did someone compromise the account. I immediately thought if a key logger so I ran Malwarebytes, AVG, and Norton 360. Nothing turned up except a few tracking cookies.

My password is one that I have used for awhile. It isn't one anyone is likely to disagree (it appears to be random but isn't really but no one could really guess it since it is based upon information that is not publicly available and is available only to me).

I am very careful and have never had a keylogger or virus (that didn't get caught by a virus checker).

The computer I am using is only a few months old. From before I got it I use RoboForm so I don't think I've ever typed the email password into the webmail login form since the password was already saved into RoboForm before I even got this computer. It is possible that I might have typed in that password on my notebook that I use at the office although that wouldn't have often happened.

Possibilities:

1. There is a keylogger on my computer at home but Malwarebytes, Norton 360 and AVG didn't find it. Is that at all possible? Is there something else I should use check for a keylogger?

2. There is a keylogger on my notebook I use at work. Possible I guess but unlikely. I use it only at work and don't go hardly anywhere except major web sites. The office blocks lots of websites so access is pretty limited.

3. Someone got my password and email from some forum or store or some other place where I use the same password for my forum login. I used to use that password a lot of places. I've mostly phased it out but haven't changed it everywhere yet.

4. Someone got my password from the godaddy webmail or something else godaddy related. If that is a possibility maybe I should change my domain hosting to somewhere else (any ideas? I just need hosting for email really).

Basically I feel sort of frozen now. I'm scared to change passwords on my desktop or my office notebook. I could I guess reformat my hard drives (I have an SSD drive with programs on it I want to run quickly then I have another drive with my other programs and my data), but I don't really want to do that unless I have to.

Any ideas?
__________________

__________________
Katsmeow is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 01-23-2012, 06:32 PM   #2
Administrator
W2R's Avatar
 
Join Date: Jan 2007
Location: New Orleans
Posts: 27,077
Have you tried changing your password on the fubar webmail account and then testing to see if it still sends the Nigerian response?

If Norton, malwarebytes, and AVG all say your computer at home is clean, it is probably clean IMO.
__________________

__________________
“Knowing others is intelligence; knowing yourself is true wisdom. Mastering others is strength; mastering yourself is true power. If you realize that you have enough, you are truly rich.”
- - Lao-tzu
W2R is offline   Reply With Quote
Old 01-23-2012, 07:00 PM   #3
Dryer sheet aficionado
 
Join Date: Nov 2007
Location: a suburb somewhere
Posts: 48
Quote:
Originally Posted by Katsmeow View Post
2. There is a keylogger on my notebook I use at work. Possible I guess but unlikely. I use it only at work and don't go hardly anywhere except major web sites. The office blocks lots of websites so access is pretty limited.
Speculating here:

Your work computer may not be compromised but the corporate network may be. Do you use an HTTPS connection to get to your webmail? If not, your traffic may be monitored by IT and subject to hacking from outside.

Also, have you checked your domain info with WHOIS? Your password isn't based on your personal information, is it? Just askin.
__________________
flotsamandjetsam is offline   Reply With Quote
Old 01-23-2012, 07:06 PM   #4
Recycles dryer sheets
Rowdy's Avatar
 
Join Date: Jul 2011
Posts: 104
Some ideas based on my email being compromised a few years ago:

- Make sure you are using the secure log in feature (https) of your email. Both Yahoo and Gmail offer this under settings. I suspect this is how my email was compromised.
- Go through all your email settings to make sure there is nothing unusual. When mine was compromised, the person set up an auto vacation response. Check for alternate emails or auto forwarding.
- Download "Emsisoft Anti-Malware" from download.com. This worked pretty well in getting rid of some troublesome spyware.
- Only log in to your accounts from secure wireless networks. Your info can get compromised using an open WIFI network.
- Set up strong passwords; check the internet for tips.
- I like Avast for virus protection.

Hope this helps.
__________________
Rowdy is offline   Reply With Quote
Old 01-23-2012, 07:19 PM   #5
Recycles dryer sheets
 
Join Date: May 2010
Posts: 254
My money is on #3 in your list.

Your password was probably obtained from somewhere else that you use it. If I were you I'd change it ASAP and stop using it for anything that matters.
__________________
DoingHomework is offline   Reply With Quote
Old 01-23-2012, 07:20 PM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 12,452
Quote:
Originally Posted by Katsmeow View Post
Then yesterday the same thing happened. This time I called godaddy who had me...delete the mailbox and set up back up. The tech support guy sent me a test email and asked me to respond to it.
When you say you set it back up - did you use a new, strong password? If not, the bad guy is going to get right back in.

I apologize if that seems obvious, but one thing I learned troubleshooting is don't assume anything. And if it wasn't obvious to you, I apologize for thinking it might be obvious

Also, I think a lot of these hacks are done with random tries by robots. But with a unique domain name, that seems like a small chance.

Hope you solve this.

-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 01-23-2012, 07:25 PM   #7
Dryer sheet aficionado
 
Join Date: Nov 2007
Location: a suburb somewhere
Posts: 48
Another thought: Do you have teenagers in the house? They seem to have no regard for computer security.
__________________
flotsamandjetsam is offline   Reply With Quote
Old 01-23-2012, 07:44 PM   #8
Thinks s/he gets paid by the post
 
Join Date: Jul 2005
Posts: 2,860
Change the password to something completely new from your home computer. That should fix the problem. Do the same for all of the other accounts using the old password, hopefully all with unique passwords but you could use a common one for non-monetary sites. If you are concerned about a key logger you can type in the new password by repositioning the cursor with the mouse between keypresses, so the key logger shows the characters out of order. A nice 16 character password would be nice.

If that doesn't work I'd call Go Daddy again and let them know your account has been compromised and a careful password change didn't solve the problem. It is possible that the problem is on their end, not that they would admit it.
__________________
Animorph is offline   Reply With Quote
Old 01-23-2012, 07:49 PM   #9
Thinks s/he gets paid by the post
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 2,446
To answer some questions:

The password was changed immediately yesterday and then again today.I deleted the Nigerian's identity that was set up and have checked login activity on the webmail and it has been fine.

No, my password was not based upon personal identity information. The Domain whois info is fine. I register it through godaddy and keep my registration info private in any event.

I am going to totally stop using that password for anything. I just didn't want to start wholesale changing it until I was sure that this computer was safe and didn't have a keylogger.

My teenage son does use this computer occasionally. He really isn't careless and generally doesn't get a lot of malware on his own computer but he is probably more likely to go somewhere unsafe than I am. That said - Malwarebytes, AVG and Norton 360 found nothing on this computer.

Rowdy -- Thanks for the suggestion. I will try Emsisoft Anti-Malware
__________________
Katsmeow is offline   Reply With Quote
Old 01-23-2012, 07:57 PM   #10
Recycles dryer sheets
Rowdy's Avatar
 
Join Date: Jul 2011
Posts: 104
Katsmeow: FYI, in Download.com, search for "Emsisoft Anti-Malware Free (Previously A-squared Free)".
__________________
Rowdy is offline   Reply With Quote
Old 01-23-2012, 08:02 PM   #11
Dryer sheet aficionado
 
Join Date: Nov 2007
Location: a suburb somewhere
Posts: 48
I didn't mean to disparage your son by generalizing about teenagers. But, recently, I discovered an unknown computer on our home network. My son had generously shared his login credentials with a friend who was visiting. No harm done but these things happen.
__________________
flotsamandjetsam is offline   Reply With Quote
Old 01-23-2012, 08:36 PM   #12
Thinks s/he gets paid by the post
Ed_The_Gypsy's Avatar
 
Join Date: Dec 2004
Location: Baku, Azerbaijan
Posts: 4,579
#3 or #4, I am guessing.

It has been recommended to me to use different passwords and different usernames in each account.

Long PW's with symbols and numbers are also recommended. Crackers will use a program that just iterates through the alphabet starting with short PW's and go from there. symbols and numbers increase the complexity of the PW and longer is really better. It is also a pain to remember. I think it is safer to have a long one and write it down than to have a short one you can remember. And change them regularly.
__________________
"Ain't got no money for no old-age pension;
I'm so broke, I can't pay attention!"

"I started out with nothin' and I still got most of it left."
Ed_The_Gypsy is offline   Reply With Quote
Old 01-23-2012, 08:41 PM   #13
Recycles dryer sheets
Avalon's Avatar
 
Join Date: Jun 2010
Posts: 342
Might a keylogger show up on a netstat -b run, or am I thinking wrong?
__________________

...open up your mind and see like me...
Avalon is offline   Reply With Quote
Old 01-23-2012, 08:51 PM   #14
Thinks s/he gets paid by the post
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 2,446
I am actually fairly good with passwords but I freely admit this one is more of a problem. Not because the password is bad. It is actually fair strong with letters and numbers but I tended to use it at a lot of places that didn't allow a non-letter, non-number password.

The last year or so I've moved to mostly doing a couple of things for passwords:

1. For sites that are non-sensitive (forum log ons, logs on things like the New York Times, etc), for ease of use I do tend to use similar easy to remember passwords (they are easy for me to remember but they aren't things that are easily guessed). I have 2 or 3 of these passwords and I don't use them anywhere that is financially sensitive.

2. For really important financial sites I use a unique password for each of them.

3. I do keep almost all passwords in Roboform and protect them with my master password.

4. The way I create my best passwords is I make up a sentence that is easy to remember and then use the first letters of the sentence and put in some special characters. For example I might do something like (this is an example -- not one I use):

It was too stressful when I got lost in the Louvre in August!

The password then might be:

Iw2$wIglitLi8!


That really works well -- but there are only so many of those sentences I can remember so I really only do that for a few passwords.

5. Something I haven't done but may try is to let Roboform create a unique password using its password generator. Then, I let Roboform remember it. I could do that for places like credit cards where I want unique passwords but find it hard to remember them. The biggest problem is that I wouldn't remember them if I was away from my home computer and didn't have Roboform.
__________________
Katsmeow is offline   Reply With Quote
Old 01-23-2012, 09:51 PM   #15
Moderator Emeritus
Nords's Avatar
 
Join Date: Dec 2002
Location: Oahu
Posts: 26,320
Quote:
Originally Posted by Katsmeow View Post
I am actually fairly good with passwords but I freely admit this one is more of a problem. Not because the password is bad. It is actually fair strong with letters and numbers but I tended to use it at a lot of places that didn't allow a non-letter, non-number password.
You may have already done this, but Hotmail used to get hacked in its "Vacation reply" or "Out of office" auto-response module. If your GoDaddy account uses one of those then it could simply be auto-responding to everyone's e-mail with its own Nigerian offer.

It's not uncommon to have a common password hacked from some other data breach.

It's surprising how many networks still allow dictionary attacks. You would think that the login module would lock out an IP address after the first 10 attempts.
__________________
*
*

The book written on E-R.org, "The Military Guide to Financial Independence and Retirement", on sale now! For more info see "About Me" in my profile.
I don't spend much time here anymore, so please send me a PM. Thanks.
Nords is offline   Reply With Quote
Old 01-23-2012, 10:08 PM   #16
Thinks s/he gets paid by the post
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 2,446
Quote:
Originally Posted by Nords View Post
You may have already done this, but Hotmail used to get hacked in its "Vacation reply" or "Out of office" auto-response module. If your GoDaddy account uses one of those then it could simply be auto-responding to everyone's e-mail with its own Nigerian offer.

It's not uncommon to have a common password hacked from some other data breach.

It's surprising how many networks still allow dictionary attacks. You would think that the login module would lock out an IP address after the first 10 attempts.
I don't have auto response set up. Apparently what this person in Nigeria did was actually log into webmail for specific email address that I use at fubar.com (I have some other emails that are rarely used that are set up at fubar.com and they were not compromised). Anyway, this person set up 2 identifies with non-fubar.com emails and then set up the scam as the signature. I only found this out when I tried to send an email and it popped up as being from the Nigerian with the scam stuff in it!

Anyway I've now run Emsisoft anti-malware and ad-aware and nothing has turned up so I don't think there is any sort of key logger. So I just need to go into roboform and look up everywhere that uses this password and change it and just not use that password any more.
__________________
Katsmeow is offline   Reply With Quote
Old 01-23-2012, 11:06 PM   #17
Recycles dryer sheets
 
Join Date: Feb 2011
Posts: 184
Are you sure they logged into the email account? Or did they log into your main GoDaddy account where they can create any number of new email accounts? When someone logs into an email account via webmail, they can't set up a different email account - they have to log into the hosting account.

Also, when they created the new email address, should you have gotten an email via your GoDaddy account saying "this new email account has been created" etc. I don't use GoDaddy except for domains, but when I open emails via Hostgator I get a confirmation.
__________________
PaddyMac is offline   Reply With Quote
Old 01-23-2012, 11:08 PM   #18
Thinks s/he gets paid by the post
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 3,982
I had a similar situation about a year ago.

Here's the thread: Got a Keylogger Virus today

In my situation, I wasn't exactly sure if someone took my information. But m credit card company called me, with someone trying to use it, just around when I had a keylogger virus on my computer.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 01-23-2012, 11:30 PM   #19
Thinks s/he gets paid by the post
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 2,446
Quote:
Originally Posted by PaddyMac View Post
Are you sure they logged into the email account? Or did they log into your main GoDaddy account where they can create any number of new email accounts? When someone logs into an email account via webmail, they can't set up a different email account - they have to log into the hosting account.

Also, when they created the new email address, should you have gotten an email via your GoDaddy account saying "this new email account has been created" etc. I don't use GoDaddy except for domains, but when I open emails via Hostgator I get a confirmation.
I'm sure they logged into the webmail account. The webmail account records the IP and time of logins and there is a login from Nigeria a couple of days ago.

They did not create a new email account. They logged into the webmail for my my existing email account -- we'll call it Katsmeow@fubar.com. They then created two "identities." One of them was an identity with a gmail.com email address and the other had an uno.com email address. So, when the scam email was sent it was sent from my email account but to the recipient it would like someone from gmail.com or uno.com sent it.
__________________
Katsmeow is offline   Reply With Quote
Old 01-24-2012, 07:03 AM   #20
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Posts: 7,067
You may never be able to figure it out and the hosting company is a fairly likely source of the problems. For years I had a family web site on a server in my basement. Then a few years back I migrated it to a hosting company figuring they could handle all the security and administration. I only logged into my account with secure shell and sftp and I used strong passwords. One day my homepage was replaced with some goofy HAx0R page (just the index.html file, no other changes) with all the hallmarks of some script kiddy exploit against the hosting company. A likely cuplrit was failure to police against PHP exploits by the host. In any event, tThey just blew me off telling me to rebuild my site and use strong passwords. They were of no use in verifying whether the site was really compromised (back doors, etc) and I had no interest in rebuilding from scratch. I migrated all of my photos to Flickr and let the hosting contract expire. That was a year ago and the site is still active and still apparently clean with simply a replaced index file -- more evidence of the likelihood of some script kiddie type exploit and proof that the host doesn't police its accounts..
__________________

__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Reply

Tags
email, techonology


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Instant email notification not working? ERD50 Forum Admin 20 01-12-2012 11:23 PM
Posting of dividends in brokerage account lowflyer FIRE and Money 5 09-30-2011 08:24 PM
Autopay via CC or Checking Account TromboneAl FIRE and Money 36 09-14-2011 11:33 AM
Bond fund in taxable account? joecaf53 FIRE and Money 1 07-09-2011 02:48 PM

 

 
All times are GMT -6. The time now is 09:49 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2014, vBulletin Solutions, Inc.

Early Retirement News right to your Email!

Stay up-to-date with all the latest news to your inbox!

unsusbcribe at anytime with one click

Close [X]