How PlayStation Network Attack, Password Reuse And Unmonitored Account Resulted in Mass Phishing
By on May 9th, 2011

Today seemed like just another day. Little did I know, in a span of about 20 minutes, the resulting set of events would be hugely embarrassing for me. I had barely woken up, when my phone started going bonkers with notifications coming from emails, chats & twitter replies. A glance at the notifications indicated that my email account had been compromised and phishing emails had been sent to every one in my contacts list.

The Analysis

I logged into my Google Apps email account and had a look at the recent account activity details, nothing out of the ordinary there.

Gmail Recent Account Activity

Checking the sent mail folder indicated that no emails had been sent in the recent past. It occurred to me to check my other Gmail account.

And indeed, soon as I logged in to my Gmail account, there was a huge red mark indicating activity from China.

Gmail Suspicious Activity

 

Sure enough, the Sent folder had a copy of the spam mail

Spam email

So, what went wrong? It all boils down to a culmination of the PlayStation Network hacking,  some bad habits from my yesteryear and some nice features from Gmail which resulted in the phishing email to look like it came from my current domain account instead of the old Gmail account.  Let’s have a look at each vector:

  1. PlayStation Network break-in
  2. Not monitoring my email account
  3. Password Reuse
  4. Send mail as and Reply-to set to my domain address

 

PlayStation Network break-in

PlayStation network was hacked recently, with all 77 million accounts compromised as a result of this break-in. I firmly believe this is the primary reason behind my  email account being compromised. The fact that my email account was accessed from a China IP barely 2 days after the break-in before sending off the mails is proof enough to convince me that the user information was sold off to spammers in China.

Not monitoring my email account

Before switching over to my Google Apps account, I had been using this Gmail account. Once the Google Apps account had been setup, I migrated all my contacts and mail over to my Google Apps account. Furthermore I had also used Google Apps’s Auto Forwarding to ensure that any stray email to the old id would get fetched and forwarded automatically to my new account. This resulted in me never monitoring the account. If I had monitored the account, I would have noticed the big red mark under Gmail’s unusual activity and would have changed the password right then.

Password reuse

You’ve heard this before lots of times, and probably are guilty of it – password reuse refers to using the common password across most/all of web services that you use. What starts as convenience turns out to be a single point of failure – just access to this one password is enough for spammers / hackers to gain access to all your accounts.  In my case even though password reuse is something I had kicked out quite some time ago ( thanks to LastPass), back then when I had setup my accounts – I had used the same password for Gmail & PSN. With spammers getting access to my password with the PSN break-in and my failure in having used the same password – getting access to my account was easy.

Send mail as and Reply-to set to my domain address

Gmail has this nice “Send mail as” feature – basically it allows you to send email originating from one Gmail account to appear as originating from another Gmail account(that you have access to, of course). I had used this feature, along with Reply-to set to my current email address during my stages of migration from Gmail to Google Apps. Post migration, however I let these settings remain as-is and did not change them.

End result of all of these:

  • My Gmail account was broken in
  • All the contacts in my contact list were spammed with phishing email
  • To make this worse, they appeared to have originated from my domain account, instead of the dormant Gmail account.

So, what happened then?

As I had mentioned above, soon as the email was sent, I received numerous emails, IMs, and twitter replies about phishing mail being sent from my account. I used the steps outlined by Keith in his earlier post about how to handle a situation like this. I changed the password on my prior Gmail account immediately(mind you: my previous password was not a dictionary password – and neither was it easy to guess or brute force). I sent an apology email to the unintended  recipients  of the phishing mail. (Un)fortunately, Gmail had already marked mails coming from that account as suspicious and that my account might have been compromised so I had to reply to some people mentioning that the second email was a genuine one from me.

Learnings from this event

As a Super User, I take pride (and great pains as well) in knowing and trying to ensure that accounts were never compromised. Today’s account has been a huge embarrassment – and a learning experience for me. To summarize:

  • The ghost of your past bad practices will return!
  • Never, ever let any account, especially as critical as email – even if it dormant – go unmonitored. If you aren’t using it, close it or delete it.
  • On event of any service break-in – always change the password!
  • Don’t use the same password for each service

 

 

 

Tags: , , , ,
Author: Sathya Bhat Google Profile for Sathya Bhat
Sathyajith aka "Sathya" or "cpg" loves working on computers, and actively participates in many online communities. Sathya is a Community Moderator on Super User, a collaboratively maintained Q&A site which is part of the Stack Exchange network. Sathya also contributes to and is a Super Moderator at Chip India Forums. While not writing SQL queries or coding in PL/SQL, Sathya is also a gamer, a Linux enthusiast, and maintains a blog on Linux & OpenSource. You can reach Sathya on twitter.

Sathya Bhat has written and can be contacted at sathya@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN