Mass hack attack or a Gmail bug?

For over a week users of Gmail have been exchanging stories about incidents of email accounts being compromised and the uncontrolled distribution of spam, trying to guess what’s behind this strange epidemic.

The spam mailings are being sent from hacked accounts to addresses that the account owners have communicated with – these are primarily addresses from the contact list. There is no message subject and the body contains nothing more than a link to an online drug store in the domain. This is a redirect to the recently registered website which, incidentally, doesn’t work. A copy of the message is saved to the “Sent Mail” folder just like any other sent message, and sometimes it can be found in the “Trash” folder. Some of the messages don’t make it to their recipients and remain flagged as undelivered.

It turns out that every time the spammers connected to someone’s account they did so via a mobile interface and most probably using bots. The IP addresses used to gain unauthorized access were in locations dotted around the world – the USA, Western Europe, the Middle East, Asia, Africa…

It’s worth pointing out that the cybercriminals only used their victims’ contacts to send out spam – they didn’t modify passwords to email accounts and didn’t delete any messages or contact lists.

It remains to be seen what connects all the victims. Active accounts were targeted as well as those that have lain dormant for some time. Password strength and the presence or type of antivirus solution also appears to play no role. No malware was found on the majority of affected computers. The operating systems also varied, with XP, Windows 7, Windows Vista, Mac OS, and various versions of Linux in combination with browsers such as IE, Firefox, Opera, and Chrome.

The number of compromised accounts has not been determined. Google is keeping quiet for the moment – they are supposedly investigating. In the meantime, all users of Gmail are advised to check their recent account activity, change their passwords, unclick the “Stay signed in” box on all their computers and sign out when a session ends.

PS from Sergey Golovanov:

The domain, which is where the link in the spam message redirects to, was registered with directions to:


What does that mean?
Well, virus analysts know that three-character domains of [letter][number][letter] are linked to the spread of Bredolab. And obviously points to spam advertising medications.

Mass hack attack or a Gmail bug?

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox