Compromised Email Account

[Katsmeow]

This is long but I really need suggestions.

My main email webmail was compromised and I'm trying to figure out what happened and if I need to do anything more to make certain I don't have a keylogger on my computer. Here is the situation:

For years my main email has been one I set up using my own domain. That is, let's say my domain was fubar.com (it isn't -- just using it for example). My domain is hosted at godaddy. I don't use fubar.com for anything other than a domain name for my email. Through godaddy I have email set up and godaddy provides webmail if I want to long onto my email account on the internet. In practice, I very rarely use the webmail. I have a master email account at gmail and have my fubar.com email forwarded to gmail and I send mail from fubar.com using my gmail account. So I hardly ever log into the webmail account (maybe once a month or so when I want to get a confirmation or something that I don't want to wait for it to be forwarded to gmail).

So -- several weeks ago I found that emails to fubar.com were being returned as undeliverable. I tried to log into the webmail and couldn't and ended up deleting the mailbox (through godaddy) and setting up the account again. Everything seemed to work.

Then yesterday the same thing happened. This time I called godaddy who had me...delete the mailbox and set up back up. The tech support guy sent me a test email and asked me to respond to it.

When I did the response popped us as not being from my actual email but from some other email and the response had a canned signature that was a Nigerian scam letter. I then looked at the webmail and realized someone had actually been logged in on the webmail and had created another identity to send emails using my account. I checked the login info and saw someone in Nigeria had logged in 2 days earlier and had sent out 100 or so scam emails. I also realized the same thing had happened a couple of days before the last time the email went down.

Obviously the issue for me is how did someone compromise the account. I immediately thought if a key logger so I ran Malwarebytes, AVG, and Norton 360. Nothing turned up except a few tracking cookies.

My password is one that I have used for awhile. It isn't one anyone is likely to disagree (it appears to be random but isn't really but no one could really guess it since it is based upon information that is not publicly available and is available only to me).

I am very careful and have never had a keylogger or virus (that didn't get caught by a virus checker).

The computer I am using is only a few months old. From before I got it I use RoboForm so I don't think I've ever typed the email password into the webmail login form since the password was already saved into RoboForm before I even got this computer. It is possible that I might have typed in that password on my notebook that I use at the office although that wouldn't have often happened.

Possibilities:

1. There is a keylogger on my computer at home but Malwarebytes, Norton 360 and AVG didn't find it. Is that at all possible? Is there something else I should use check for a keylogger?

2. There is a keylogger on my notebook I use at work. Possible I guess but unlikely. I use it only at work and don't go hardly anywhere except major web sites. The office blocks lots of websites so access is pretty limited.

3. Someone got my password and email from some forum or store or some other place where I use the same password for my forum login. I used to use that password a lot of places. I've mostly phased it out but haven't changed it everywhere yet.

4. Someone got my password from the godaddy webmail or something else godaddy related. If that is a possibility maybe I should change my domain hosting to somewhere else (any ideas? I just need hosting for email really).

Basically I feel sort of frozen now. I'm scared to change passwords on my desktop or my office notebook. I could I guess reformat my hard drives (I have an SSD drive with programs on it I want to run quickly then I have another drive with my other programs and my data), but I don't really want to do that unless I have to.

Any ideas?

 

[W2R]

Have you tried changing your password on the fubar webmail account and then testing to see if it still sends the Nigerian response?

If Norton, malwarebytes, and AVG all say your computer at home is clean, it is probably clean IMO.

 

[flotsamandjetsam]

2. There is a keylogger on my notebook I use at work. Possible I guess but unlikely. I use it only at work and don't go hardly anywhere except major web sites. The office blocks lots of websites so access is pretty limited.

Speculating here:

Your work computer may not be compromised but the corporate network may be. Do you use an HTTPS connection to get to your webmail? If not, your traffic may be monitored by IT and subject to hacking from outside.

Also, have you checked your domain info with WHOIS? Your password isn't based on your personal information, is it? Just askin.

 

[Rowdy]

Some ideas based on my email being compromised a few years ago:

- Make sure you are using the secure log in feature (https) of your email. Both Yahoo and Gmail offer this under settings. I suspect this is how my email was compromised.
- Go through all your email settings to make sure there is nothing unusual. When mine was compromised, the person set up an auto vacation response. Check for alternate emails or auto forwarding.
- Download "Emsisoft Anti-Malware" from download.com. This worked pretty well in getting rid of some troublesome spyware.
- Only log in to your accounts from secure wireless networks. Your info can get compromised using an open WIFI network.
- Set up strong passwords; check the internet for tips.
- I like Avast for virus protection.

Hope this helps.

 

[DoingHomework]

My money is on #3 in your list.

Your password was probably obtained from somewhere else that you use it. If I were you I'd change it ASAP and stop using it for anything that matters.

 

[ERD50]

Then yesterday the same thing happened. This time I called godaddy who had me...delete the mailbox and set up back up. The tech support guy sent me a test email and asked me to respond to it.

When you say you set it back up - did you use a new, strong password? If not, the bad guy is going to get right back in.

I apologize if that seems obvious, but one thing I learned troubleshooting is don't assume anything. And if it wasn't obvious to you, I apologize for thinking it might be obvious

Also, I think a lot of these hacks are done with random tries by robots. But with a unique domain name, that seems like a small chance.

Hope you solve this.

-ERD50

 

[flotsamandjetsam]

Another thought: Do you have teenagers in the house? They seem to have no regard for computer security.

 

[Animorph]

Change the password to something completely new from your home computer. That should fix the problem. Do the same for all of the other accounts using the old password, hopefully all with unique passwords but you could use a common one for non-monetary sites. If you are concerned about a key logger you can type in the new password by repositioning the cursor with the mouse between keypresses, so the key logger shows the characters out of order. A nice 16 character password would be nice.

If that doesn't work I'd call Go Daddy again and let them know your account has been compromised and a careful password change didn't solve the problem. It is possible that the problem is on their end, not that they would admit it.

 

[Katsmeow]

To answer some questions:

The password was changed immediately yesterday and then again today.I deleted the Nigerian's identity that was set up and have checked login activity on the webmail and it has been fine.

No, my password was not based upon personal identity information. The Domain whois info is fine. I register it through godaddy and keep my registration info private in any event.

I am going to totally stop using that password for anything. I just didn't want to start wholesale changing it until I was sure that this computer was safe and didn't have a keylogger.

My teenage son does use this computer occasionally. He really isn't careless and generally doesn't get a lot of malware on his own computer but he is probably more likely to go somewhere unsafe than I am. That said - Malwarebytes, AVG and Norton 360 found nothing on this computer.

Rowdy -- Thanks for the suggestion. I will try Emsisoft Anti-Malware

 

[Rowdy]

Katsmeow: FYI, in Download.com, search for "Emsisoft Anti-Malware Free (Previously A-squared Free)".

 

[flotsamandjetsam]

I didn't mean to disparage your son by generalizing about teenagers. But, recently, I discovered an unknown computer on our home network. My son had generously shared his login credentials with a friend who was visiting. No harm done but these things happen.

 

[Ed_The_Gypsy]

#3 or #4, I am guessing.

It has been recommended to me to use different passwords and different usernames in each account.

Long PW's with symbols and numbers are also recommended. Crackers will use a program that just iterates through the alphabet starting with short PW's and go from there. symbols and numbers increase the complexity of the PW and longer is really better. It is also a pain to remember. I think it is safer to have a long one and write it down than to have a short one you can remember. And change them regularly.

 

[Avalon]

Might a keylogger show up on a netstat -b run, or am I thinking wrong?

 

[Katsmeow]

I am actually fairly good with passwords but I freely admit this one is more of a problem. Not because the password is bad. It is actually fair strong with letters and numbers but I tended to use it at a lot of places that didn't allow a non-letter, non-number password.

The last year or so I've moved to mostly doing a couple of things for passwords:

1. For sites that are non-sensitive (forum log ons, logs on things like the New York Times, etc), for ease of use I do tend to use similar easy to remember passwords (they are easy for me to remember but they aren't things that are easily guessed). I have 2 or 3 of these passwords and I don't use them anywhere that is financially sensitive.

2. For really important financial sites I use a unique password for each of them.

3. I do keep almost all passwords in Roboform and protect them with my master password.

4. The way I create my best passwords is I make up a sentence that is easy to remember and then use the first letters of the sentence and put in some special characters. For example I might do something like (this is an example -- not one I use):

It was too stressful when I got lost in the Louvre in August!

The password then might be:

Iw2$wIglitLi8!


That really works well -- but there are only so many of those sentences I can remember so I really only do that for a few passwords.

5. Something I haven't done but may try is to let Roboform create a unique password using its password generator. Then, I let Roboform remember it. I could do that for places like credit cards where I want unique passwords but find it hard to remember them. The biggest problem is that I wouldn't remember them if I was away from my home computer and didn't have Roboform.

 

[Nords]

I am actually fairly good with passwords but I freely admit this one is more of a problem. Not because the password is bad. It is actually fair strong with letters and numbers but I tended to use it at a lot of places that didn't allow a non-letter, non-number password.

You may have already done this, but Hotmail used to get hacked in its "Vacation reply" or "Out of office" auto-response module. If your GoDaddy account uses one of those then it could simply be auto-responding to everyone's e-mail with its own Nigerian offer.

It's not uncommon to have a common password hacked from some other data breach.

It's surprising how many networks still allow dictionary attacks. You would think that the login module would lock out an IP address after the first 10 attempts.

 

[Katsmeow]

You may have already done this, but Hotmail used to get hacked in its "Vacation reply" or "Out of office" auto-response module. If your GoDaddy account uses one of those then it could simply be auto-responding to everyone's e-mail with its own Nigerian offer.

It's not uncommon to have a common password hacked from some other data breach.

It's surprising how many networks still allow dictionary attacks. You would think that the login module would lock out an IP address after the first 10 attempts.

I don't have auto response set up. Apparently what this person in Nigeria did was actually log into webmail for specific email address that I use at fubar.com (I have some other emails that are rarely used that are set up at fubar.com and they were not compromised). Anyway, this person set up 2 identifies with non-fubar.com emails and then set up the scam as the signature. I only found this out when I tried to send an email and it popped up as being from the Nigerian with the scam stuff in it!

Anyway I've now run Emsisoft anti-malware and ad-aware and nothing has turned up so I don't think there is any sort of key logger. So I just need to go into roboform and look up everywhere that uses this password and change it and just not use that password any more.

 

[PaddyMac]

Are you sure they logged into the email account? Or did they log into your main GoDaddy account where they can create any number of new email accounts? When someone logs into an email account via webmail, they can't set up a different email account - they have to log into the hosting account.

Also, when they created the new email address, should you have gotten an email via your GoDaddy account saying "this new email account has been created" etc. I don't use GoDaddy except for domains, but when I open emails via Hostgator I get a confirmation.

 

[easysurfer]

I had a similar situation about a year ago.

Here's the thread: http://www.early-retirement.org/forums/f27/got-a-keylogger-virus-today-52857.html

In my situation, I wasn't exactly sure if someone took my information. But m credit card company called me, with someone trying to use it, just around when I had a keylogger virus on my computer.

 

[Katsmeow]

Are you sure they logged into the email account? Or did they log into your main GoDaddy account where they can create any number of new email accounts? When someone logs into an email account via webmail, they can't set up a different email account - they have to log into the hosting account.

Also, when they created the new email address, should you have gotten an email via your GoDaddy account saying "this new email account has been created" etc. I don't use GoDaddy except for domains, but when I open emails via Hostgator I get a confirmation.

I'm sure they logged into the webmail account. The webmail account records the IP and time of logins and there is a login from Nigeria a couple of days ago.

They did not create a new email account. They logged into the webmail for my my existing email account -- we'll call it Katsmeow@fubar.com. They then created two "identities." One of them was an identity with a gmail.com email address and the other had an uno.com email address. So, when the scam email was sent it was sent from my email account but to the recipient it would like someone from gmail.com or uno.com sent it.

 

[donheff]

You may never be able to figure it out and the hosting company is a fairly likely source of the problems. For years I had a family web site on a server in my basement. Then a few years back I migrated it to a hosting company figuring they could handle all the security and administration. I only logged into my account with secure shell and sftp and I used strong passwords. One day my homepage was replaced with some goofy HAx0R page (just the index.html file, no other changes) with all the hallmarks of some script kiddy exploit against the hosting company. A likely cuplrit was failure to police against PHP exploits by the host. In any event, tThey just blew me off telling me to rebuild my site and use strong passwords. They were of no use in verifying whether the site was really compromised (back doors, etc) and I had no interest in rebuilding from scratch. I migrated all of my photos to Flickr and let the hosting contract expire. That was a year ago and the site is still active and still apparently clean with simply a replaced index file -- more evidence of the likelihood of some script kiddie type exploit and proof that the host doesn't police its accounts..

 

[Lsbcal]

...(snip)...
1. For sites that are non-sensitive (forum log ons, logs on things like the New York Times, etc), for ease of use I do tend to use similar easy to remember passwords (they are easy for me to remember but they aren't things that are easily guessed). I have 2 or 3 of these passwords and I don't use them anywhere that is financially sensitive.
...

I think for even non-sensitive (non-financial) sites the passwords should be unique. Then if that non-sensitive site is hacked you only can be affected there.

You can do this by inserting a site specific ID into the "generic" strong password. Example:
1) Say you use the following non-sensitive site password: StGhMn45;;
2) For the New York Times web site your password gets revised to insert the letters "nyt"
3) The new password = StGhnytMn45;;
4) For your Yahoo account the new password would be StGhyahMn45;;

 

[GrayHare]

It's surprising how many networks still allow dictionary attacks. You would think that the login module would lock out an IP address after the first 10 attempts.

Agree there should always be some sort of quantity limit. When I've designed password systems, I've generally incorporated a timer such that any password entered within X seconds of a prior failed entry is automatically rejected.

 

[ERD50]

... You would think that the login module would lock out an IP address after the first 10 attempts.

Agree there should always be some sort of quantity limit. When I've designed password systems, I've generally incorporated a timer such that any password entered within X seconds of a prior failed entry is automatically rejected.

That makes sense to me, but I've wondered if this is how the 'bad guys' work?

Seems to me, they are not targeting anyone in particular, they just want to get in anywhere they can. So instead of a netbot hitting my account 1,000,000 times in a row in an attempt to guess my PW, I would think (putting on my 'bad guy' hat), that they would hit 1,000,000 different accounts, and then cycle back through them.

That way, there would not be a lot of activity on any one account, it would look like someone may have just mistyped their logon, and tried to legitimately get into their account. That must happen a zillion times a day.


I'm not fully caffeinated yet, but aren't the odds the same for them? They could even use random passwords if they kept a database of which PW was tried on which account, so they aren't just doing simple ones first. That's not hard at all. Not sure if it is an advantage or not to mix up the PW, but it's easily done.


-ERD50

 

[Brat]

This happened to me earlier this month too.

We use myhosting.com to host. Years ago I did consulting so we created our own domain name, since retiring several years ago we just use it for e-mail. Our individual e-mail passwords and our account password was the same all digit password (btw, the same that I use for this forum). Myhosting blamed our passwords and changing that stopped the hack. Humm, I had no idea that the hosting provider may have not done all that it should have to protect our account.

 

[easysurfer]

On passwords..

I remember two passwords. One for my password keeper and one for my email accounts. All other passwords, I use a random generator by my password keeper to create secure passwords. Also, now even with my user ids, a portion of that is randomly generated for safety.

For me, trying to remember password combinations that are safe is just too taxing on the brain when some require special characters, and some do not, and once you have one in memory, the password may expire.