Two days ago my wife's Gmail account was taken over, with quite sweeping effects. SEE UPDATE BELOW. Yesterday I mentioned the two simple steps Gmail users could take to minimize the chance of such an attack, or recover more quickly if it happened.
Just in the past hour, I have received phishing messages from the Gmail accounts of
two three four five six other friends -- starting with one in California and one in Texas -- whose accounts must have been hacked in just the same way. The (implausible) "I've been mugged in Madrid, Spain!" pitch is almost identical to the one that went out from my wife's account. The messages have also been jiggered in a way similar to (but with an interesting difference from) hers. In all cases, the "Reply To:" address has been changed on these messages, so that if you hit Reply your response goes not to the sender but to a dummy address. For my wife's case, the dummy address was a Gmail account that was a slight misspelling of her name. In these two new cases, the return address is @ymail.com rather than @gmail.com -- that is, a Yahoo mail rather than Gmail account. A message appearing to come from MyFriend@gmail.com would direct its replies to MyFriend@ymail.com. These alterations are normally concealed, but you can see them if you press the "Show details" button in Gmail.
These California friends of mine do not know the Texas friend. One of them has never corresponded with my wife. So this isn't just some ripple effect spreading from her network of contacts. I am getting these messages because I happen to be in
both all of their address lists. At least anecdotally, something bigger would appear to be going on. Perhaps a new Gmail hack or password-capture system? Related to the mammoth Epsilon hack? Each sounds unlikely, but who knows.
But even if this is purely anecdotal and coincidental, why take a risk? If you use Gmail, protect yourself now. Change your password. Now. If you can, switch to two-step verification, as explained yesterday. Be absolutely sure you have extra "password recovery contacts," also as explained yesterday. Also, when you are on the "mail settings" of Gmail making these changes, check the "Forwarding / IMAP" tab to make sure your mail is not being forwarded someplace you don't want.
This is all a minor nuisance. Believe me, it is less of a nuisance than the ones you will be dealing with if the entire contents of your archived mail are in someone else's hands. More about this later.
Here is the phishing note just now from one of my friends' accounts, slightly altered from the one sent when my wife's account was taken over:
>>I'm sorry for this sudden request, It's because things actually got out of control. I'm Madrid, Spain. I came down here for a confrenece, i was mugged and all my belongings including cellphone and credit card were all stolen at "GUN POINT". It's such a traumatic experience for me. I need your help flying back home as i am trying to raise some money.
I've contacted my bank but the best they could do was to send me a new card in the mail which will take 2-4 working days to arrive here from [my friend's real home town, in Texas]. I need you to lend me some Money to sort my self out of this predicament, i will pay back once i get this over with because i need to make a last minute flight.Western Union or MoneyGram is the fastest option to wire funds to me. Let me know if you need my details(Full names/location) to effect a transfer. You can reach me via hotel's desk phone and the number is, +34 981 600916891.
Waiting to hear from you,[My friend's real nickname] <<
Do. It. Now.
UPDATE: In response to some queries, at least in my wife's case this is not just a matter of innocently spoofing her email address as the "from" line of phishing messages. Someone else had complete control of all her online data for a number of hours, with harmful consequences I will detail later. Maybe that has not happened to the people I've heard from today, but if it has, it's something you want to avoid for yourself.