Two days ago my wife's Gmail account was taken over, with quite sweeping effects. SEE UPDATE BELOW. Yesterday I mentioned the two simple steps Gmail users could take to minimize the chance of such an attack, or recover more quickly if it happened.
Just in the past hour, I have received phishing messages from the Gmail accounts of
two three four five six other friends -- starting with one in California and one in Texas -- whose accounts must have been hacked in just the same way. The (implausible) "I've been mugged in Madrid, Spain!" pitch is almost identical to the one that went out from my wife's account. The messages have also been jiggered in a way similar to (but with an interesting difference from) hers. In all cases, the "Reply To:" address has been changed on these messages, so that if you hit Reply your response goes not to the sender but to a dummy address. For my wife's case, the dummy address was a Gmail account that was a slight misspelling of her name. In these two new cases, the return address is @ymail.com rather than @gmail.com -- that is, a Yahoo mail rather than Gmail account. A message appearing to come from MyFriend@gmail.com would direct its replies to MyFriend@ymail.com. These alterations are normally concealed, but you can see them if you press the "Show details" button in Gmail.
These California friends of mine do not know the Texas friend. One of them has never corresponded with my wife. So this isn't just some ripple effect spreading from her network of contacts. I am getting these messages because I happen to be in
both all of their address lists. At least anecdotally, something bigger would appear to be going on. Perhaps a new Gmail hack or password-capture system? Related to the mammoth Epsilon hack? Each sounds unlikely, but who knows.