Phishing re gmail accounts?

I received two emails today, timed almost simultaneously, to one of my non-RobertoS domains.

The first, to name1@mydomain :-

We have received your request to add name1@mydomain to your Google Account. Please click on the link below to verify this request....

Of course I would do no such thing. Note name1 is not a legitimate name on my domain, nor on any gmail account that I hold. I do accept all emails to the domain then blacklist unwanted ones such as name1, but this one is more worrying than normal spam.

The second was sent to name1 name2 <name1@mydomain> :-

Congratulations on creating your brand new Gmail address, [email protected] ....

I can find no way of reporting this to google. All I can find is the way to report phishing emails received on my gmail address.

So is it phishing? The links within the emails of course look legitimate, but other than one gmail support video I have found that quotes one possible "invalid" link, there seems no way of verifying the links given. There doesn't seem to be a list of valid links.

I've checked the only google account I am aware of that has nick@mydomain as its signin and it appears unharmed.

Any ideas anyone please? What I would obviously most like to do is to forward the two emails to a phishing or similar address at google, in the same way as you can to banks.

in general I look at the sending domain or domain that it links to and make abuse reports to the relevant domain abuse address

Looking at the source code / "original message" you should see domain of links

I did and all looked OK.

However, the example the google video gave also looked OK. They pointed out that it was the subdomain name before the main domain that was the phishing clue, and said what the correct link was for the particular facility.

All the links in these two emails are subdomains of google.com, but there is no way of reporting the problem.

Hence my post asking what to do, and my complaint that there isn't a list of valid links.

if the links when viewed in message source are all to Google sites then it probably isn't phishing. For clarity I mean the actual links viewed in plain text not the GUI stuff built to con you !

I have a couple of people that use my Gmail address in error (and others do) which can be entertaining.

Make an abuse report to origination of emails ?

http://www.google.com/safebrowsing/report_phish/

support.google.com/mail/bin/request.py?contact_type=abuse&&hl=en

Ummmm.

Thanks for the links. Maybe I'm being thick, but I don't see how either helps.

The point being that there is nothing identifiably suspect in either email. The second looks identical to a couple I recently received when I did set up a couple of gmail addresses. The first doesn't look at all odd either, coming from From: [email protected].

What I want to do is get google to find out what is triggering these. As both seem to be genuinely from google/gmail I don't see how to do that on either of those links.

The first by itself I would just have ignored - that's what such are about. But for the second to come addressed as it is implies to me that something more serious than a mistaken mydomain being entered at the setup request phase. From the "From" given above, it seems that a gmail address has been successfully set up, associated with name1@mydomain. How can that be, given that I didn't do anything with the verification request email. Both happened hours before I saw them.

Re the second one, saying name1name2@gmail has been set up. From "Gmail Team" <[email protected]>

Just used the second one. Managed to get the problem described. The final message is of course very discouraging, implying I will never hear anything about it.

Thank you for submitting a report. We take our users' privacy and security very seriously, so we appreciate your concern. We will use the information you provide to conduct an investigation. We will contact you if we need more details; however, you will not receive a response or email acknowledgment of your submission.

Can you log in to your newly "acquired" Google a/c's, even if you pretend to have forgotten your pwd?

That's a thought. But what I was thinking earlier was that the Verification link would seem to have been used? So HMMMM. Either someone has access to this m/c or to my mail host.

C e n s o r e d words!

Full scan next. (Now running, but there have been a few background "Quick scan" scans today.
Then mail host password change.

The point being that there is nothing identifiably suspect in either email

So the IP address that originated the email is in Google's ownership ?

and the links as verified in the code are also in Google's hands ?

The From address, as I'm sure you know, is a text field entered by the mail client software, and not a verifiable indication of anything.

if you C&P the headers I'll have a poke around. It does sound a bit obscure as described.

In reply to a post by XRaySpeX:

Can you log in to your newly "acquired" Google a/c's, even if you pretend to have forgotten your pwd?

So I try to log into the gmail one and the Forgotten password page, when given name1@mydomain says

No account found with that email address.

Then I tried to log into name1@mydomain. Same result.

Looks like people are having a go at Gmail.
Here's an image/tweet of a Gmail phishing attempt sent earlier to a Mozilla developer : https://twitter.com/i/#!/codepo8/media/slideshow?url...

@Yarwell
If the email was via Gmail then I don't believe you can find the originators IP - Gmail doesn't give that away (last time I checked) and all addresses will be for Google.

'View source' and look to see if the links are taking you somewhere malicious etc.

I've had a couple of these too, and have noted reference to them on another forum. As you say, somebody's having a go at Google, but it's difficult if not impossible to report the spoofs. Understandable perhaps given the millions of accounts out there.

If you are using the Gmail interface you can report phishing or scams with a couple of clicks: http://support.google.com/accounts/bin/answer.py?hl=...

As mentioned previously, copy/pasting the email into this thread in its "raw" format would give the best diagnosis (edit out personal info).

How to do this varies in each email client. In Windows Live Mail it's:
Right-click > Properties > Details > Message Source

I've no problem with that, except for one question. I did start a PM to yarwell with them, but it was late and I was expecting a hectic day today, so packed it in. (In fact today has been a nightmare).

It's easy enough to edit out my private domain, but what about the MIME gibberish that AIUI contains most of the email in a coded form. I was worried about posting that stuff in case decoding it gave that domain.

Post deleted by RobertoS

Edited by RobertoS (Thu 04-Oct-12 18:45:48)

FYI - your l.... domain is visable from the Google links.
You might want to strip out the links?

If you ignore a force Google verification you should stay safe unless someone else knows your password to verify.

Edited by b4dger (Thu 04-Oct-12 18:11:43)

The critical line is the first "Received: from" and as you say it looks legit; the IP address is definitely one of google's.

The next question is how someone is adding email addresses to your google account. I think this can only be done by logging into google, so change your google account password(s) and scan for viruses.

Lastly, log into gmail and check your login history (details link, bottom right). You can also set it to alert you on suspicious activity.

Edited by Oliver341 (Thu 04-Oct-12 16:49:38)

Also, go here and check what email addresses are added (or waiting validation):
https://www.google.com/settings/account

In reply to a post by b4dger:

FYI - your l... domain is visable from the Google links.
You might want to strip out the links?

I certainly do, but I don't see where they are. Do you mean I need to click one, and if so which? Or what's the line above it?

Wouldn't mind you removing the 2nd and 3rd letters as wel . Or even the whole post now.If you ignore a force Google verification you should stay safe unless someone else knows your password to verify.
Quite! That's what's so worrying. It didn't even allow time for a genuine verification anyway, unless it was automatic. And the verification link would have had to be available to the transgressor.

As posted to XRaySpex, my domain doesn't seem to be associated with the [link removed by billford] address.

Edited by billford (Fri 05-Oct-12 21:10:50)

I checked the account that has my domain as it's login. There doesn't seem to be anything amiss. I'll do the check you suggest now ...
...
I only have the primary address. Where do I see "Awaiting validation"? On the same page as you add alternative addresses?

In reply to a post by RobertoS:

I certainly do, but I don't see where they are. Do you mean I need to click one, and if so which?

The Disavow link.

edited

FYI Any of the links with the google.com TLD are safe to click.


EDIT: I see your link to your l... domain/account is still available?
Also perhaps pika... could be just as innocent as you so posting his email address in an open forum might not be the right thing to do?

Edited by b4dger (Thu 04-Oct-12 18:40:33)

In reply to a post by Oliver341:

Lastly, log into gmail and check your login history (details link, bottom right). You can also set it to alert you on suspicious activity.

It isn't a gmail account. I have a few gmail accounts, two recent and the rest virtually never used. Probably from even before I had a domain instead of using ISP mail. Many years ago.

Re the recent ones, neither mentions mydomain in the Account details.

Rolls eyes. (Edit - at what the heck is going on).

I'm logged into the account with mydomain. Looks like I'm not signed up to Activity Reports. Is that what you meant? I don't see the link you refer to on the Account page.

Edited by RobertoS (Thu 04-Oct-12 23:02:31)

As Oliver341 says "details link, bottom right" from the Gmail home page will show who's been logging in. If you don't use Gmail these instructions wont work

Edited by b4dger (Thu 04-Oct-12 18:46:06)

I've edited the disavowal link in the body. Is it anywhere else please? (And thanks to XRaySpeX). I also used it as advised. Now it says it's eithet invalid or already disassociated.

You really think pika ... exists? Maybe I should fix more stuff.

That was why I initially used name1 & name2.

How come those two emails both came to my "l" domain, with about 11 seconds separating them? Is it possible that the verification and congrats emails go to all addresses on the account? Someone's got a very fast connection if they received the first and clicked the link in that time.

Also, the first one says pika is being added to my google account, not to a gmail account. It isn't on my google account.

'Tis a rum business.

That explains why I don't see it then . The google account that has mydomain as its login name does not have gmail.

In reply to a post by RobertoS:

I only have the primary address. Where do I see "Awaiting validation"? On the same page as you add alternative addresses?

Yes. If you add a new email to your google account, a "Pending verification" entry appears on the page where you add new email addresses. If it's not there, or the new validated email address isn't there, either the "intruder" deleted the new email, or google had a wobbly.

Edited by Oliver341 (Thu 04-Oct-12 22:49:31)

In reply to a post by RobertoS:

That explains why I don't see it then . The google account that has mydomain as its login name does not have gmail.

It's a shame there's no activity log for Google Accounts, just Gmail. The monthly report seems a bit pointless if you're wanting to know what was going on yesterday.

Well. It looks like I have nothiong to worry about, since I accepted the advice that the Disavow link was safe.

But I'd say it was a bit more than a wobbly. It looks like there could be a nice hole in the wall there.

I'll go and delete that "source" post I think. In case it was something innocent.

Just to confirm, you have now changed your Google password and run virus scans?

Edited by Oliver341 (Thu 04-Oct-12 22:51:26)

Nope?

You think someone has cracked it? I'm sure if some evil was intended it would have happened. But OK ...
... Done!

I think I can put this, and me, to bed now.

Thanks to all. I'll be back with it if it happens again.

I was just going to check again but it's gone now.

Email #1 shows someone trying to add your email address to their Google account

Email #2 suggested the email address was validated, and this can only be done by logging into your email inbox.

Is this how you see it?

Actually, validating an email address doesn't trigger an email.

The second email was triggered by someone signing up to Gmail, and putting your email address as their existing email.

Both legitimate emails, both benign, caused by someone fooling about. Confusing, but, I too don't believe you've been hacked.

In reply to a post by RobertoS:

So I try to log into the gmail one and the Forgotten password page, when given name1@mydomain says

No account found with that email address.

Then I tried to log into name1@mydomain. Same result.

It was an @GMail a/c that was being created not your @mydomain. You should try logging into Google and GMail using [email protected], I think it was.

I'm sure your PC's not compromised.

What I think likely happened was that someone out there loved yourdomain so much that they tried to register it as a domain. When they were told it was already taken they chose a slight variation of it, as you do, yourdomain1 say.

Later they opened Gmail and Google a/c's, but forgetting they didn't have the domain they really wanted, they gave yourdomain as their existing email addy, hence the 2nd msg you received. A few secs later they tried to add yourdomain to their Google a/c, hence the 1st msg. Both msgs were pukka Google notifications, just that this other user used yourdomain by mistake.

You could always send [email protected] an email telling him off that yourdomain is your copyright .

Edited by XRaySpeX (Fri 05-Oct-12 13:25:13)

Uh uh! I'm not that daft, though my thoughts may have been invalid .

I was trying your suggestion of feigning a forgotten password.

I tried two things, both shown in that quote.

Logging in with the gmail address, I have to supply an email address to send the password reset to. That email address has to be present on the gmail account. The confirmation email could not have been sent unless it were. That was the first thing I tried.

The second thing was based on, IIRC from the relevant screens,that to log into your account you can use one of your alternative email addresses, not just your primary one. So to log into my google account, my primary is xxxx@mydomain. I don't have a secondary. But if there is really an account somewhere with pika..@mydomain as a primary or secondary login, I should have been able to get to the lost password reset stage.

In case it was a genuine mistake by someone, I think you should remove your very close and easily worked out post of the email address in question . That's one of the reasons I deleted the "source" post when that was pointed out to me.

I did run a full system scan the night of the main discussion. Just a few tracking cookies.

I don't think your analysis of the transaction history accounts for the immediacy of the confirmation email! I pointed this out a few times, and I think there's only been one suggestion, which I think I had already made myself. That is that someone has gained access to my mail hosting account. But there is more than one way into that, and it all seems to be running smoothly at the moment.

I shall probably be checking it out. Yesterday was traumatic for other reasons.

What is appalling is the total opaqueness of google's contact procedure. This should have been a simple support request to find out what is going on. There is no way to do anything with any probablility of a response. You even get a flat statement you aren't even going to get an auto-response that the problem report has been recorded, with a reference number!

Edited by RobertoS (Fri 05-Oct-12 09:05:10)

In reply to a post by RobertoS:

That is that someone has gained access to my mail hosting account.

Neither of the two emails you received would require access to your mail hosting account.

In reply to a post by RobertoS:

I don't think your analysis of the transaction history accounts for the immediacy of the confirmation email!

I would've thought quite the reverse! Creation of a Google a/c is very much linked with creation of a Gmail a/c; indeed the former is nested within the latter. Remember you only have a Google a/c which does not require a Gmail a/c, unlike the reverse. The confirmation mail, the 2nd one, was confirmation of creation of the Gmail a/c, not confirmation of adding a secondary email addy to the Google a/c, the 1st email. So they are not related in that manner. Anyway Internet packet switching does not guarantee order of arrival of msgs will be in same order of sending, nor at the same intervals.

By now the other person has probably realised his mistake and corrected it by replacing your domain by his domain.

P.S. One of your earlier posts still has his Gmail addy in full, but it is no longer editable.

For what it is worth, I have received a number of these over the last few months. I've never been able to get any word of explanation from the google. Apparently part of their new policy of "All your attention is belong to us (the google), but we don't pay any attention to you" that replaced the now sad old joke of "Don't be evil."

In the absence of any real data from the google, I have two theories. The less plausible one is that there is some kind of technical booby-trap on the new account. In that case, clicking on any of the links might be enough to detonate it. If so, the scammers are quite sophisticated, perhaps too sophisticated for the google to deal with the problem, which might be why they refuse to talk about it.

However, I think the more likely possibility is that the attack is some kind of social engineering thing. They want to get you involved with the new account in some way, and then they are going to trick you or trick your contacts and friends into communicating with the fake account. Or maybe they have a backdoor for some kind of password reversion trick after you've been tricked into using the new account.

Whatever it is, it stinks to high heaven and I am completely unable to imagine a scenario that would give it enough plausibility to call for an explicit disavowal.
--