For over a week users of Gmail have been exchanging stories about incidents of email accounts being compromised and the uncontrolled distribution of spam, trying to guess what’s behind this strange epidemic.
The spam mailings are being sent from hacked accounts to addresses that the account owners have communicated with – these are primarily addresses from the contact list. There is no message subject and the body contains nothing more than a link to an online drug store in the .co.cc domain. This is a redirect to the recently registered website mrapgyan.net which, incidentally, doesn’t work. A copy of the message is saved to the “Sent Mail” folder just like any other sent message, and sometimes it can be found in the “Trash” folder. Some of the messages don’t make it to their recipients and remain flagged as undelivered.
It turns out that every time the spammers connected to someone’s account they did so via a mobile interface and most probably using bots. The IP addresses used to gain unauthorized access were in locations dotted around the world – the USA, Western Europe, the Middle East, Asia, Africa…
It’s worth pointing out that the cybercriminals only used their victims’ contacts to send out spam – they didn’t modify passwords to email accounts and didn’t delete any messages or contact lists.
It remains to be seen what connects all the victims. Active accounts were targeted as well as those that have lain dormant for some time. Password strength and the presence or type of antivirus solution also appears to play no role. No malware was found on the majority of affected computers. The operating systems also varied, with XP, Windows 7, Windows Vista, Mac OS, and various versions of Linux in combination with browsers such as IE, Firefox, Opera, and Chrome.
The number of compromised accounts has not been determined. Google is keeping quiet for the moment – they are supposedly investigating. In the meantime, all users of Gmail are advised to check their recent account activity, change their passwords, unclick the “Stay signed in” box on all their computers and sign out when a session ends.
PS from Sergey Golovanov:
The domain mrapgyan.net, which is where the link in the spam message redirects to, was registered with directions to:
What does that mean?
Well, virus analysts know that three-character domains of [letter][number][letter] are linked to the spread of Bredolab. And pharmacyhealthmedsnow.eu obviously points to spam advertising medications.