E-Mail may have been compromised, trying to figure out how

[Cyber Akuma]

I am wondering if this happened to anyone else, or they know someone who it happened to. I am trying to figure out if I have been hacked or not, and if so to what extent.

About a month ago my cousin's G-Mail account started sending mass-spam to everyone on his contact list, so he changed his password. It happened twice again though until he added two-step verification. Thing is, he hasen't used his pc in months if not years, he pretty much does everything from his phone and tablet, so it was very unlikely to have been a hack on his PC. I know smartphones aren't immune to viruses, but its not rooted and he hasen't installed anything outside of the Android Market and Amazon Market. His tablet is WebOS so theres practically no chance that one was hacked. And no, hes not stupid enough to fall for phishing or fake e-mail links.

Anyway, this morning this happened to me. Strangely though, none of my g-mail accounts were comprimised, my AOL account (which happens to be my main account) was... This makes even less sense. The e-mails all contained no subject and all the body had was a link to a web domain. However, they were all different domains, which resolved to different IP addresses in different countries and registered in differnet YEARS....... but they all ended with the same HTML page: "mronimer1.html". Googling the domains and html page gave me nothing. (e.g. (no, these are NOT real) www.site1.com.tr/mronimer1.html www.site2.eu/mronimer1.html, www.site3.tr/mronimer1.html, etc). Unless this guy has been registering random domains all over the world for the last 5-10 years and sprung his trap now, or hacked all of these sites and planted this mronimer1.html on all of them, this is just plain confusing to me.

I would chalk this off as my e-mail address being spoofed rather than hacked............. except that these were all sent to people on my contact list (mostly auto-reply bots from various web forums and onlinr stores). So... I guess thats not so much my contact list as its people who have sent me an e-mail at one point.... but anyway. They woulden't have access to this information if it was just a spoof right?

Any ideas how I can track down how I was hacked? Any way I can see how much of my system and passwords were compromised? The problem is although I changed it, I don't REMEMBER my AOL password, and although I have dozens of passwords, I very likely used it on many other sites if they got a hold of it. (Hey, I am literally subscribed to hundreds of websites, forums, etc for the last 15 or so years, I can't possibly come up with a new password for each one and REMEMBER it, many of these were before firefox and keychain-type apps).

[sc302 Veteran]

not much you can do. perhaps you logged into an unsecure computer at one point, perhaps you have a short and simple password, perhaps you registered somewhere and someone was able to get your email address and other information that could possibly lead to being able to gain access to your email account.

My gmail account was compromised, I was able to quickly change my password prior to being blocked. I logged into a unsecure computer/virus infected computer which is what caused it. No big deal, most of my other accounts don't use the same password and any that did were changed.

[Cyber Akuma]

Sorry that its been a while since I replied.

It almost looks like my address was spoofed, except for the fact that they were sent to addresses on my contact list.

Whats weird though is that all those e-mails that were supposedly sent, none of them appeared in my outbox/sent folder. Is that normal? If they were sent from my account, would they have to appear there, or can they be hidden?

[+BudMan MVC]

You really need to see the headers of one of the sent messages to see if actually sent from gmail system.

As to spoofing, its quite easy to make an email look like it came from any address at all. Be it [email protected] or [email protected]

You need to look at the headers of the email to know what server the email actually originated from, could be some zombied box in china or Ukraine, etc.

As to access to your contacts - quite possible this was given away freely by you when you signed up for some service. Lots of services being both legit and noso much legit ask for access to your contacts so they can spam them that you are using such a service, etc.

if we could see the headers of such a sent message to one of your contacts that said it came from you, we could clearly see if sent from gmail or not, etc.

How do you know the contacts were just not from some other message that you sent to all users in your list, and they got compromised and the infection on their part just picked a random address from the listing to say its from that address. This is quite common currently.

You normally do not want to actually send from the email address of the account or machine you have control over - it makes it too easy to track down the source. It's better to just pick a random from a list of names that are from a shared contact list or email and say it came from one of those, and just cycle through them as you send out the junk.

[Cyber Akuma]

How do you know the contacts were just not from some other message that you sent to all users in your list, and they got compromised and the infection on their part just picked a random address from the listing to say its from that address. This is quite common currently.

Because the vast majority of them were sent to addresses which had sent me an e-mail but I never sent one nor added them to my address book (usually "do not reply" type addresses that I am subscribed to or confirming registration on a forum), but they were also sent to everyone on my contact list as well, I rarely send an e-mail to more than at most, two people at once.

Also, this was my AOL account that was infected, not my Gmail account.

[+BudMan MVC]

AOL account -- really?? People still use that for email?

but again look at the headers and you can see if it came from one of their servers or not. Take 2 seconds to verify.

[soldier1st]

This occurred to me last year. The only reason i knew about it was because a friend of mine phoned me up after receiving porn spam(other users received it). i also did not login for 6 days. Google showed me the ip address in the logs(it was a thief who was in india) so after i was notified i cleared all cache+history before and after i changed the pass and other info.

+BudMan: he should be careful as even opening the mail could infect him with malware.

[+Warwagon MVC]

^ was it atleast good porn?

[+BudMan MVC]

Sorry but its not possible to infect yourself by just opening an email -- you have to run code.. Unless your email client auto runs code, who and the F would use such client? Then no there is NO FREAKING WAY to infect your self by reading email in plaintext.. Which is how email was designed to be read in the first place ;)

If you want to know where an email came from -- then you have to look at the actual headers, period.. Any 8 year old that can google can send email "from" any name they wish.