Shortly after writing my first post, a close friend of mine had his email account compromised. His main email account began sending spam to everybody in his contact list, this included his close friends, professors, and professional contacts. He asked me, “What do I do now?”. Clearly he needed it to stop ASAP and a moderate amount of damage control needed to be done to identify what had happened and how the hacker was able to recover his credentials.
Did somebody shoulder surf him? Was his computer infected with a virus or a keylogger? Is the perpetrator a malicious individual who happened to see his account logged in at a public terminal? We don’t know. Thus thus the paranoid geek in me would like to rule out any and all possibilities to minimize the chance of reoccurrence. Time was of the essence and there was no time to spare.
My friend - we’ll call him Bob - wanted to know what he could do right now to minimize the damage done. Clearly he didn’t want to have old colleagues contact him saying, “Hey Bob, I don’t need those pills. Thanks for thinking of me,” from a perspective employer he just applied to. Nor does he need a message from his mother asking him what ‘\/14GR4’ is. I outlined a plan for him to recover ASAP to minimize damages. I propose the following steps:
- Change the locks
- Stop & think
- Clean your computer
- Damage Control
Change the locks - The first thing I told Bob to do was to change his password. If his credentials were stolen by a malicious friend, co-worker, or keylogging software, they will no longer be valid once he changed his credentials. Most malware tend to send captured credentials to their Command and Control servers on a schedule. This will buy Bob some time before his credentials are potentially leaked out again to the Spammers. Thankfully Bob’s email account was through Gmail, which means he was able to log-out the attackers as well remotely through his current session. For more information on how to do this, see this following blog post from Google’s Gmail team.
Stop & think - Think about your computer activities for the past week. What locations have you used to log into your account within the past 7 days? Has anything unusual happen with your account as of late (i.e. logged in from friend’s house, lent your personal computer to a friend, installed a new piece of software on your computer)? Any and all of these activities could have been your undoing. If you have used a public terminal, chances are your home computer is fine. If you’ve just downloaded the latest Just Bieber Concert video from a non-reputable site or service and proceeded to jam out to it, you might have been attacked through that vector as well.
Clean your computer - After thinking through the possible scenarios that may have caused you to be infected in the first place, you can begin cleaning your personal computer. Why? Because chances are that you were infected through your personal computer, and I did mention that we’d err on the side of caution (see: paranoia). This will take some time and will not be easy. HardForum has an excellent how-to guide on how to remove Virus/Trojan/Malware from your computer. Once you’ve followed the guide, move on to the next step.
Damage Control - Now you will need to clean up the damage that was left behind by the attackers. The type of account compromised really dictates how you should move forward. For example, if your email account was compromised, you will need to notify all people that have been spammed (see your Sent folder) that the previous message was not sent by you. You will need to explain to people the steps that you’ve taken in order to prevent it from happening again.
Monitor - You will now need to closely monitor your account activity for the next few months. If your account once again becomes compromised, if can mean a multitude of things. Most likely is that you were unable to clear out all the infections on your computer. Clearly drastic measures are needed if you hope to get rid of the infection once and for all. The only known 99.999% effective measure is to completely wipe and reload your computer. Alternatively you may have been re-infected due to an activity that you are doing on your computer. This activities may include visiting questionable sites, participating in illegal file sharing, and not having proper counter-measures up to protect yourself (i.e. anti-virus, firewall, updated computer)