(OT) Google: "Somebody knows your password"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
69 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

(OT) Google: "Somebody knows your password"

Volker Wysk
Hi

I've received a mail titled "Jemand kennt Ihr Passwort" ("somebody knows your
password") from Google, and a "security warning" mail, with the same contents.  
%-(

Somebody tried to access my google account with my password, from an (to
google) unknown device. The login was blocked, because of the device being
unknown to google. I was then guided to change my password, which I did. As
the location of the unknown device, the mail stated Essen (I live in Berlin).

The mail says (translation below):
"Jemand kennt Ihr Passwort

Hallo Volker,
Jemand hat gerade versucht, sich mit Ihrem Passwort in Ihrem Google-Konto
[hidden email] anzumelden, und dazu eine Anwendung, z. B. ein
E-Mail-Programm, oder ein Mobilgerät verwendet.

Details:
Freitag, 4. August 2017 03:24 (GMT)Google hat den Anmeldeversuch
unterbunden. Sie sollten sich jedoch trotzdem die kürzlich genutzten Geräte
ansehen: ..."

Translation:
"Somebody knows your password.

Hello Volker,
somebody has just tried to log in to your google account [hidden email], and
used an application, for instance an e-mail program, or a mobile device.

Details:
Friday, 4. August 2017 03:24 (GMT)Google has prevented the login attempt. You
nevertheless should  look at the shortly used devices. ..."

Apart from that, I don't have any information.

So this means that my Google password was stolen, doesn't it? It was a strong
password, and I've used it for my google account only.

So how can this be..? And, will it happen again? I have no idea how someone
could get hold of my password. Sorry for the pointless mail. I'm just a little
nervous.

Volker


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Xen
Make sure this wasn't a fishing attempt.

I have never seen a Google email like that.

Google generally does not block logins. It just reports them.

If you changed your password through their link, your account may now be
compromised.

Regards.


Volker Wysk schreef op 04-08-2017 7:02:

> Hi
>
> I've received a mail titled "Jemand kennt Ihr Passwort" ("somebody
> knows your
> password") from Google, and a "security warning" mail, with the same
> contents.
> %-(
>
> Somebody tried to access my google account with my password, from an
> (to
> google) unknown device. The login was blocked, because of the device
> being
> unknown to google. I was then guided to change my password, which I
> did.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Volker Wysk
Am Freitag, 4. August 2017, 07:32:18 CEST schrieb Xen:
> Make sure this wasn't a fishing attempt.
>
> I have never seen a Google email like that.
>
> Google generally does not block logins. It just reports them.
>
> If you changed your password through their link, your account may now be
> compromised.

The links are https://accounts.google.com/... and (enclosed) https://
myaccount.google.com/... . I assume that they can't fake a google.com domain
name, right?

What's more, I've changed the password in my smartphone and my fetchmail
configuration, and it works fine with the new password. When the old one was
still in place, I've got error messages for both.

Thank you for the hint.

Volker


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Xen
Volker Wysk schreef op 04-08-2017 7:46:

> The links are https://accounts.google.com/... and (enclosed) https://
> myaccount.google.com/... . I assume that they can't fake a google.com
> domain
> name, right?

If you can be sure you didn't actually visit something else, that is
correct.

> What's more, I've changed the password in my smartphone and my
> fetchmail
> configuration, and it works fine with the new password. When the old
> one was
> still in place, I've got error messages for both.

If you changed through someone else's service it might still have used
Google to effectuate the change but could have been a simulation around
it, in that case you indeed did change your password but then the hacker
would also know the new one and would keep it for reference.

Regards.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Joel Rees

2017/08/04 14:57 "Xen" <[hidden email]>:
>
> Volker Wysk schreef op 04-08-2017 7:46:
>
>
>> The links are https://accounts.google.com/... and (enclosed) https://
>> myaccount.google.com/... . I assume that they can't fake a google.com domain
>> name, right?
>
>
> If you can be sure you didn't actually visit something else, that is correct.

DNS poisoning.

Or, if you are not using plaintext, the displayed URL can be different from the actual link.

>> What's more, I've changed the password in my smartphone and my fetchmail
>> configuration, and it works fine with the new password. When the old one was
>> still in place, I've got error messages for both.
>
>
> If you changed through someone else's service it might still have used Google to effectuate the change but could have been a simulation around it, in that case you indeed did change your password but then the hacker would also know the new one and would keep it for reference.
>

man-in-the-middle

Never visit the link in that mail again, just in case.

Use a different device, preferably on a network you trust, go directly to Google by typing the address in the browser URL field. Change your passwords again, to something completely different.


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Xen
Joel Rees schreef op 04-08-2017 8:05:

> Or, if you are not using plaintext, the displayed URL can be different
> from the actual link.

What Joel means is that HTML emails can hide the actual URL you are
visiting and show you something else.

The DNS poisoning thing would require for example a (Windows) computer
to be compromised and the "hosts" file to include an entry for
google.com or whatever, causing lookups for that domain to go there.
Unlikely perhaps. Same could happen on Linux but even more unlikely at
this stage.

With regards to SSL/TLS certificates... if there is a fishing attack and
the browser thinks it is going to https://account.google.com/ or
whatever, then the browser will request the certificate from the server.
It will then verify that the certificate contains the URL you just
visited, and that it can validate the certificate according to a root
certificate present in its own (local) database.

So typically it should not be possible that anyone can impersonate that
website, unless of course the computer was also compromised, and a
validating certificate was added by the hacker to the root certificate
store of your browser (or computer).

So if there is actually a malware on the computer then both could and
would be possible and you could indeed go to https://account.google.com 
or whatever and not know you were being misled.

If there is not any malware on the computer, then it should not ever be
possible.

I assume this isn't the case, so the only possibility would be that the
link you click on is different from what the browser shows you.

But I would indeed follow Joel's advice if I were you.

> Use a different device, preferably on a network you trust, go directly
> to Google by typing the address in the browser URL field. Change your
> passwords again, to something completely different.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Ralf Mardorf-2
In reply to this post by Joel Rees
On Fri, 04 Aug 2017 07:02:10 +0200, Volker Wysk wrote:
>The login was blocked, because of the device being
>unknown to google.

Hi,

they check device strings? Did you ever confirm a device string? I
suspect that this sentence is an evidence for phishing.

Assuming they should care about what browser you are using and/or that
you are perhaps using "User-Agent: KMail/5.2.3 (Linux/4.4.0-87-generic;
KDE/5.36.0; x86_64; ; )" to access Google mails. What happens if you
update KMail, the Kernel or KDE.

Assuming they should verify the IP, then why do they call it another
device and not another location or IP?

On Fri, 4 Aug 2017 15:05:16 +0900, Joel Rees wrote:
>Or, if you are not using plaintext, the displayed URL can be different
>from the actual link.

We should explain that. Joel isn't talking about plain text for mails
the original poster sends, what he is talking about are mailers that
display HTML emails by using HTML and sometimes even by
automatically downloading remote content.

However, usually such mailers show the real URL in the status bar, it
at least is shown by viewing the message source.

FWIW phishing mails are usually not very tricky, the authors usually
don't spend time to camouflage anything, so much likely the links shown
in the status bar, if you hover the mouse pointer over the link in the
message, is the real link and much likely the "Received" path shown by
the message source is useful, to see if the mail was send from Google.

Btw. did you send a request to Google support? Not by using a link of
the mail, simply by visiting a website from Google.

Did you care about Google FAQs, e.g.
https://support.google.com/accounts?ctx=gcp#topic=3382296 ?

Chances are close to 100% that the mail is a phishing mail.

Regards,
Ralf


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Ralf Mardorf-2
PS: Are you using "2-Step Verification"?
https://www.google.com/landing/2step/#tab=how-it-protects

This at least would explain how they detect your device, but then
somebody knowing your password can't access your account.


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Joel Rees
In reply to this post by Ralf Mardorf-2

> However, usually such mailers show the real URL in the status bar, it
> at least is shown by viewing the message source.

The status bar can also be overridden, of course.

You should never click a link you get in mail.

When you have no other choice, and you really, really have to use the URL you got in the message, you should right-click and copy the link, then paste it into a plain text editor window to look at. Then (because paste buffers can also be programmed into) if the URL is one you know, select it in the text editor and copy what you know is a plaintext URL.

And watch for redirections hidden in the long URLs.

Even when you are reading mail in plaintext, Unicode provides characters that allow spoofing addresses. For example, goog1e.com would be easy to miss. And it doesn't help that URLs can now contain (for example) Greek and Russian characters. Registrars are supposed to watch for look-alike URLs, but they miss some from time to time.

(Browsers really should change background colors when showing URLs that contain characters from more than one language.)

--
Joel Rees

Yeah, be careful with links in signatures, too:
http://reiisi.blogspot.com


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Joel Rees
In reply to this post by Xen

> The DNS poisoning thing would require for example a (Windows) computer to be compromised and the "hosts" file to include an entry for google.com or whatever, causing lookups for that domain to go there. Unlikely perhaps. Same could happen on Linux but even more unlikely at this stage.
>

Well, if the OP is the target of an orchestrated attack, the poisoning could actually be on another machine, maybe in the LAN or even in the ISPs network. That's the reason for all the talk about https, but you should still be careful.


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Xen
In reply to this post by Joel Rees
Joel Rees schreef op 04-08-2017 10:44:

> Yeah, be careful with links in signatures, too:
> http://reiisi.blogspot.com

My understanding of the Japanese language has seriously been compromised
by following that link.

仕方が無い ;-).

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Grizzly-4
In reply to this post by Xen
04 August 2017  at 9:49, Xen wrote:
Re: (OT) Google: "Somebody knows yo (at least in part)

>The DNS poisoning thing would require for example a (Windows) computer
>to be compromised and the "hosts" file to include an entry for
>google.com or whatever, causing lookups for that domain to go there.
>Unlikely perhaps. Same could happen on Linux but even more unlikely at
>this stage.

Or the Op's DNS server to have been hacked?

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Xen
In reply to this post by Joel Rees
Joel Rees schreef op 04-08-2017 10:51:

> Well, if the OP is the target of an orchestrated attack, the poisoning
> could actually be on another machine, maybe in the LAN or even in the
> ISPs network. That's the reason for all the talk about https, but you
> should still be careful.

That could be true of course.

Generally it seems infecting the ISP (or Google) seems more difficult.

Some ISPs may even use Google's servers (8.8.8.8).

The majority of fishing mails would be random.

I have never experienced a targetted fishing mail on a service I
actually used.

90% at least is stuff I don't use.

Or stuff I do use but with a different email address ;-).

In case of Google the fishers have it easy of course.

So although that would be possible... idk it just seems less likely and
a computer compromised is also much less likely than a regular fishing
attempt.

After all, if your computer is compromised they don't need you to visit
a web page.

They can just install a keylogger.

But DNS poisoning of an ISP is not going to be easy. So 99.999999% of
cases you will just a see a phishing mail that will do what Joel
suggests, hide the fact that you are going elsewhere.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Ralf Mardorf-2
On Fri, 4 Aug 2017 17:44:17 +0900, Joel Rees wrote:
>The status bar can also be overridden, of course.

100% of the phishing mails I received were very simple. A mailer would
show the correct URL in the status bar. In my case, Im using Claws, I
anyway do not display HTML, let alone remote content. Those using Claws
with the fancy plugin suffer from more serious issues, than the risk to
receive a phishing mail. This is related to the old webkit's CVEs, let
alone that the old webkit already is dropped by some distros and will be
dropped soon by Debian/Ubuntu, too.

>You should never click a link you get in mail.

I'm doing this all the times and never run into an issue.

>And watch for redirections hidden in the long URLs.

Even if the browser should follow redirections, in the end taking a
look in the browser's address bar shows the truth. I expect a reply,
that the address shown in the address bar could be a fake, but again,
100% of all phishing mails I received at least all of them I
"tested", were not that advanced. Btw. usually phishing mails do not
completely look equal to the mails from the service they imitate and
very often, even if sentence construction and spelling should be without
mistakes, the used wording appeals to be fishy in one or the
other part of the mail.

On Fri, 04 Aug 2017 11:54:20 +0200, Xen wrote:
>I have never experienced a targetted fishing mail on a service I
>actually used.
>
>90% at least is stuff I don't use.
>
>Or stuff I do use but with a different email address ;-).

+1 so actually 100% are easy to identify as spam/phishing mails. I also
expect the providers of the service I'm using, not to send me private
emails e.g. via a mailing list. If the mail regarding security issues of
your American Express card is available by the FreeBSD questions
mailing list archive and it should be really a mail from American
Express, then the risk seems to be cause by American Express and nobody
else, so better get rid of you American Express card.


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Volker Wysk
In reply to this post by Joel Rees
Am Freitag, 4. August 2017, 15:05:16 CEST schrieb Joel Rees:
> Or, if you are not using plaintext, the displayed URL can be different from
> the actual link.

I'm displaying mails as text by default. When it is a html mail, a message
appears and you can turn on HTML display. That's the default behaviour for
KMail.

> >> What's more, I've changed the password in my smartphone and my fetchmail
> >> configuration, and it works fine with the new password. When the old one
> >> was
> >> still in place, I've got error messages for both.
> >
> > If you changed through someone else's service it might still have used
> > Google to effectuate the change but could have been a simulation around
it,

> > in that case you indeed did change your password but then the hacker would
> > also know the new one and would keep it for reference.
>
> man-in-the-middle
>
> Never visit the link in that mail again, just in case.
>
> Use a different device, preferably on a network you trust, go directly to
> Google by typing the address in the browser URL field. Change your
> passwords again, to something completely different.

Okay, I've done this.

Thnx
Volker


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Volker Wysk
In reply to this post by Xen
Am Freitag, 4. August 2017, 09:49:56 CEST schrieb Xen:
> The DNS poisoning thing would require for example a (Windows) computer
> to be compromised and the "hosts" file to include an entry for
> google.com or whatever, causing lookups for that domain to go there.
> Unlikely perhaps. Same could happen on Linux but even more unlikely at
> this stage.

I'm using two Linux machines (desktop and laptop)... I've just used the laptop
to change the google password again (following Joel's advice). So unless my
laptop has malware on it, the attacker wouldn't have my new password, right?

> With regards to SSL/TLS certificates... if there is a fishing attack and
> the browser thinks it is going to https://account.google.com/ or
> whatever, then the browser will request the certificate from the server.
> It will then verify that the certificate contains the URL you just
> visited, and that it can validate the certificate according to a root
> certificate present in its own (local) database.

There was no message from any of the two browsers (desktop/laptop) about
untrusted certificates.

> So typically it should not be possible that anyone can impersonate that
> website, unless of course the computer was also compromised, and a
> validating certificate was added by the hacker to the root certificate
> store of your browser (or computer).
>
> So if there is actually a malware on the computer then both could and
> would be possible and you could indeed go to https://account.google.com 
> or whatever and not know you were being misled.
>
> If there is not any malware on the computer, then it should not ever be
> possible.

So I think...

> I assume this isn't the case, so the only possibility would be that the
> link you click on is different from what the browser shows you.

It wasn't a html mail...            


Bye
Volker


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Volker Wysk
In reply to this post by Joel Rees
Am Freitag, 4. August 2017, 17:51:47 CEST schrieb Joel Rees:
> Well, if the OP is the target of an orchestrated attack, the poisoning
> could actually be on another machine, maybe in the LAN or even in the ISPs
> network. That's the reason for all the talk about https, but you should
> still be careful.

I couldn't find a definition of "orchestrated attack" on the web. From what I've
read, an "orchestrated attack" is an attack that involves multiple
(compromised) machines. Correct?

Bye
Volker


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Xen
In reply to this post by Volker Wysk
Volker Wysk schreef op 04-08-2017 14:42:

> It wasn't a html mail...

Google absolutely sends HTML email! But maybe those are preferences.

You can check this link to check all device history of the last 28 days:

https://myaccount.google.com/device-activity

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Xen
In reply to this post by Volker Wysk
Volker Wysk schreef op 04-08-2017 14:53:

> Am Freitag, 4. August 2017, 17:51:47 CEST schrieb Joel Rees:
>> Well, if the OP is the target of an orchestrated attack, the poisoning
>> could actually be on another machine, maybe in the LAN or even in the
>> ISPs
>> network. That's the reason for all the talk about https, but you
>> should
>> still be careful.
>
> I couldn't find a definition of "orchestrated attack" on the web. From
> what I've
> read, an "orchestrated attack" is an attack that involves multiple
> (compromised) machines. Correct?

He meant that the fishing attack would be preceded by a "set up" in
which some infrastructure would be in place to facilitate the wider
attack.

For example sometimes certificate authorities are compromised and used
to issue valid certificates for domains such as google.com or
accounts.google.com, which the certificate structure should prevent.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: (OT) Google: "Somebody knows your password"

Jared Norris
In reply to this post by Volker Wysk
On 4 August 2017 at 15:02, Volker Wysk <[hidden email]> wrote:
Hi

I've received a mail titled "Jemand kennt Ihr Passwort" ("somebody knows your
password") from Google, and a "security warning" mail, with the same contents.
%-(

Somebody tried to access my google account with my password, from an (to
google) unknown device. The login was blocked, because of the device being
unknown to google. I was then guided to change my password, which I did. As
the location of the unknown device, the mail stated Essen (I live in Berlin).

The mail says (translation below):
"Jemand kennt Ihr Passwort

Hallo Volker,
Jemand hat gerade versucht, sich mit Ihrem Passwort in Ihrem Google-Konto
[hidden email] anzumelden, und dazu eine Anwendung, z. B. ein
E-Mail-Programm, oder ein Mobilgerät verwendet.

Details:
Freitag, 4. August 2017 03:24 (GMT)Google hat den Anmeldeversuch
unterbunden. Sie sollten sich jedoch trotzdem die kürzlich genutzten Geräte
ansehen: ..."

Translation:
"Somebody knows your password.

Hello Volker,
somebody has just tried to log in to your google account [hidden email], and
used an application, for instance an e-mail program, or a mobile device.

Details:
Friday, 4. August 2017 03:24 (GMT)Google has prevented the login attempt. You
nevertheless should  look at the shortly used devices. ..."

Apart from that, I don't have any information.

So this means that my Google password was stolen, doesn't it? It was a strong
password, and I've used it for my google account only.

So how can this be..? And, will it happen again? I have no idea how someone
could get hold of my password. Sorry for the pointless mail. I'm just a little
nervous.

Volker


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Hi Volker,

I hate to point out the obvious but really you should contact google to sort this out. Emailing a random mailing list will only give you random responses such as the ones you've received. You don't call the phone company when the airline cancels your flight.....

Regards,

Jared

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
1234