Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
Lisa

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 34
Reply with quote  #1 
So on Sunday, 10/29, I received this frightening email from Google.  

I did check the headers, etc., and I did not click on the "review your devices" button.  It appears to be from Google.  

The Google account listed in this email is not correct and I initially thought this was spam.  However, the email address below is my recovery email address for gmail.  I have 2FA turned on and use Google's authenticator app.  

"Hi,

Someone just used your password to try to sign in to your Google Account XXXXXX.net.

                Details:

Monday, October 30, 2017 1:25 AM (ET)

Ashburn, VA, USA*

Google stopped this sign-in attempt, but you should review your recently used devices:

 REVIEW YOUR DEVICES NOW"

Yes, I changed my gmail account password.  My original password was very strong and not in a dictionary. 

Not knowing much about hacking, I'm wondering - how would someone obtain my password?  Would they do a brute force attack on gmail?  How would this be done?  And wouldn't Google notice this?  

Any thoughts? Thanks!


__________________
Lisa O'Hara
0
donoli

Senior Member
Registered:
Posts: 582
Reply with quote  #2 
I doubt very much that google sent that email. I was researching another hack & read that google doesn't notify their users of attempted hacks. They would need an entire dept just for that. It's up to the user to protect him or herself.

As far as brute forcing goes, someone would have to brute force the server & I'm sure google & all the others have an Intrusion Detection System (IDS) to block the attempts after a few tries. If someone actually found your password, it would be from a key logger on your machine. Don't click on attachments unless you requested the attachment even if you know the sender.  Install, update & run anti malware from malwarebytes.org Change you password again from a different machine, in case yours is infected.
0
Lisa

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 34
Reply with quote  #3 
Well, Dude, you're wrong.  The headers check out.  The email is legitimate, as I said in my initial post.  

Also, there are numerous articles that this is a legitimate email from google:

https://productforums.google.com/forum/#!topic/gmail/wWIWRNZ_c4o

https://webapps.stackexchange.com/questions/26600/gmail-suspicious-sign-in-prevented-message-is-it-legit

I have Malwarebytes Premium, HitmanPro Premium (or whatever the paid version is called) and Avast Premium on my computer.  I also use a password manager that syncs between phone and computer.  

I usually change my password via my phone and my password manager.  However, if I had a keylogger, how would I find it?  Wouldn't those above programs have found it by now?  

So, back to my original question - how could someone use brute force attack on gmail servers and come up with real passwords?  Or, are there other methods besides brute force that would allow an intruder to get past Google's security to obtain a real password?  How would they do it?

__________________
Lisa O'Hara
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 229
Reply with quote  #4 
> The Google account listed in this email is not correct and I initially thought this was spam.  However, the email address below is my recovery email address for gmail. 

So someone guessed your recovery address? That in itself is not a reason for concern.

Did you verify the activity in the Google security center yourself instead of relying on this email?

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
donoli

Senior Member
Registered:
Posts: 582
Reply with quote  #5 
Lisa, you have far more faith in anti virus programs than I do. You can't depend on those programs. According to Dave Perry, formally of Trend Micro, 3/4 million of new viruses, trojans & other malware are released daily. However, you are right about a google breach.

https://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

If you want to see if your PC is compromised, reboot normally, download & run Hijack This & post the output here, if you don't understand it. I will tell you what to delete. 

0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 871
Reply with quote  #6 
I've received emails from Google/ Facebook and MS about the same thing.
Sometimes its because the login is unusual due to my profile or the login is from a different IP range, yet my phone or laptop is in another region/ country.
You can look in your Security center and check if other devices are logged in.

As Willem said - someone may have guessed you recovery address.

Have you checked here for both you usual and recovery email address?

If the user you use as a normal day to day user is an administrator then the AV/ antimalware etc won't and can't find everything.

Do the usual.
Change passwords - for your password safe as well.
Run offline scanner against your PC
Remove admin privileges 

 




__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Lisa

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 34
Reply with quote  #7 
Yes, I have checked that website and signed up to get email when I my email address has been part of a breach.

The interesting thing is that I checked the security center on Google and this login activity is not there.  That's why I'm trying to figure it all out.  

I received another email from Google today, it is below.  It is missing the location.  Google shows no information at all about another device except my phone and my computer.  Additionally, you should know that my recovery email is on a hosted server - not at my home.

I have the Sophos Rootkit/Virus Removal tool and use it regularly.

"Hi,

Someone just used your password to try to sign in to your Google Account XXXXX@domain.com.

                Details:

Friday, November 3, 2017 8:34 AM (GMT)

Google stopped this sign-in attempt, but you should review your recently used devices:

REVIEW YOUR DEVICES NOW"

I don't have HijackThis but I do have Avast.  Would a boot scan be just as good with Avast than with Hijackthis?

Should I change my recovery email to something else?

Thanks!


__________________
Lisa O'Hara
0
donoli

Senior Member
Registered:
Posts: 582
Reply with quote  #8 
Hijack This is not an Anti Virus like Avast. All it does is lists all running processes, even if they are supposed to be hidden. It was originally from Trend Micro but has been released as open source. Google it & download it but as with most free tools, don't get tricked into downloading something else.

Run it & post the output here, if you don't know what belongs & what doesn't. For example. browser helper objects are not secure but you'll see some of them.  You may see a proxy listed even if you aren't using a proxy.  Those things should be deleted. Those are just 2 examples.
0
Lisa

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 34
Reply with quote  #9 
I have downloaded it and am running a boot scan right now. Is there an email address I can send the output? I don’t feel comfortable posting it. Doesn’t the output have identifiable info in it?
__________________
Lisa O'Hara
0
donoli

Senior Member
Registered:
Posts: 582
Reply with quote  #10 
Generally, there isn't anything that will identify you in the output. This site has Private Messages that you can use. At least I see it at the top of the page.
0
Lisa

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 34
Reply with quote  #11 
I had to send an email because Private Message was disabled on your account.

I'm sending a 2nd email because the first one had an error about a hosts file not being able to be accessed.

__________________
Lisa O'Hara
0
donoli

Senior Member
Registered:
Posts: 582
Reply with quote  #12 
I don't know why it's disabled. I have it checked. I tried to send a PM to you but there is no place to enter a name. Something is wrong. Use shortylong at disposable dot com for now
0
Lisa

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 34
Reply with quote  #13 
Ok, I sent it to that address.
__________________
Lisa O'Hara
0
donoli

Senior Member
Registered:
Posts: 582
Reply with quote  #14 
It arrived. I'll start to go over it & reply by email.
0
Lisa

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 34
Reply with quote  #15 
Ok. Thank you!
__________________
Lisa O'Hara
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.