1

I have seen an issue where an account has been compromised and someone is routinely emailing out the contents of a google doc to another gmail account. The account password has been changed and the filters have been checked but the emails persist.

The email isn't a spam or chaining email. It targets 1 specific google doc and emails it daily to 1 specific gmail address from the compromised account. The emails also persist even though the password has been changed.

How can an attacker be scripting this and how can the script be interrupted?

Here are the email headers in the sent email:

Delivered-To: myemail@email.com
Received: by 10.140.134.81 with SMTP id 78cs1537032qhg;
    Sun, 22 Mar 2015 23:28:01 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.140.148.68 with SMTP id 65mr73192201qhu.6.1427092081496;
Sun, 22 Mar 2015 23:28:01 -0700 (PDT)
Date: Mon, 23 Mar 2015 06:28:01 +0000
Subject: attacker
From: myemail@email.com
To: attacker@gmail.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
essefbx
  • 272
  • 1
  • 12

1 Answers1

1

Most likely, the attacker has embedded a script in the document or in another document in the same account. Check all of the documents for embedded scripts and make sure there are no stand-alone scripts either.

Also make sure that none of the files have been shared with an external user id.

Then make sure the user turns on 2-factor authentication on their account. Although this can be a bit of a pain, the added security is well worth it when you can loose so much if you loose control of your account.

Julian Knight
  • 7,132
  • 19
  • 23