Gmail and Paypal attacked. Advice?

acurno

Hi guys, after logging into gmail today I received about 20 'mail delivery' emails. Looked like spam so I deleted them as such. Had trouble getting into gmail later and gmail asked me for verification, had to receive a password off them through text, and changed my password. Just logged back in and there was an email from paypal saying my account was accessed by a third party and that they have locked the account.
Clearly my gmail was attacked by some virus. Anyway, anything I can do? Am currently running an AVG scan on my computer.

Thanks

Alan

Spear

acurno wrote: »

Hi guys, after logging into gmail today I received about 20 'mail delivery' emails. Looked like spam so I deleted them as such. Had trouble getting into gmail later and gmail asked me for verification, had to receive a password off them through text, and changed my password. Just logged back in and there was an email from paypal saying my account was accessed by a third party and that they have locked the account.
Clearly my gmail was attacked by some virus. Anyway, anything I can do? Am currently running an AVG scan on my computer.

Thanks

Alan

That's also the standard text for Paypal phishing emails. Show us the headers and we can tell whether it's legit or not.

acurno

Still getting loads of spam in my gmail. I think the virus is using my account to send out spam as well. Below is the headings from 3 of the mails. I don't want to open one of the emails in case I activate some other virus.

Underneath those 3 is the email from paypal copied and pasted.

Any advice appreciated, I thought gmail was pretty much bulletproof when it came to these sorts of attacks. I've ran both malware and avg programs on my computer and they both came up clean.

Thanks.
Alan


me, Mail (8)

献/给/企业一条-有\价值==的信息，敬=请*留意！‎ - Delivery to the following recipient failed permanently: suhobt_jkwi@abc.com Technical details of …
8:19 pm

me, Mail (7)

献/给/企业一条-有\价值==的信息，敬=请*留意！‎ - Delivery to the following recipient failed permanently: flying@flying-tools.com Technical details …
8:10 pm

me, Mail (8)

献/给/企业一条-有\价值==的信息，敬=请*留意！‎ - Delivery to the following recipient failed permanently: uqzjxdq@abc.com Technical details of …
7:54 pm

me, Mail, MAILER-DAEM. (9)

献/给/企业一条-有\价值==的信息，敬=请*留意！‎ - Delivery to the following recipient failed permanently: lysp@mailcity.com Technical details of …
6:52 pm





Notification of Limited Account Access RXI033


Inbox
X

Reply
|
service@intl.paypal.com
to me

show details 3:48 PM (4 hours ago)

Dear xxxx

As part of our security measures, we regularly screen activity in the
PayPal system. During a recent screening, we noticed an issue regarding
your account.



We have reason to believe that your account was accessed by a third party.
We have limited access to sensitive PayPal account features in case your
account has been accessed by an unauthorized third party. We understand
that having limited access can be an inconvenience, but protecting your
account is our primary concern.

Case ID Number: PP-001-060-307-341


For your protection, we have limited access to your account until
additional security measures can be completed. We apologize for any
inconvenience this may cause.

To review your account and some or all of the information that PayPal used
to make its decision to limit your account access, please visit the
Resolution Center. If, after reviewing your account information, you seek
further clarification regarding your account access, please contact PayPal
by visiting the Help Center and clicking "Contact Us".

We thank you for your prompt attention to this matter. Please understand
that this is a security measure intended to help protect you and your
account. We apologize for any inconvenience.

Sincerely,

PayPal Account Review Department


Please do not reply to this email. This mailbox is not monitored and you
will not receive a response. For assistance, log in to your PayPal account
and click the Help link in the top right corner of any PayPal page.

---

Copyright © 1999-2010 PayPal. All rights reserved.

PayPal (Europe) S.à r.l. & Cie, S.C.A.
Société en Commandite par Actions
Registered Office: 5th Floor 22-24 Boulevard Royal L-2449, Luxembourg
RCS Luxembourg B 118 349

Spear

The first are indeed bounces, but that could only mean your name was spoofed as the sender, not that your account was compromised.

I need to see the full source of the Paypal email.

bhickey

Well the Paypal one is definitely a scam and the Gmail situation sounds similarly odd.

Ignore the Paypal scam anyway and log into your Gmail & Paypal accounts from another clean computer and change your passwords just in case.

acurno

Still reckon something funny happened to my gmail. Couldn't log in using my password, gmail themselves said that they've noticed suspicious activity and they would need to send me a verification code to continue. Got a code on my phone, and had to change my password after following certain steps. All legitimate I'm certain.

Here's the details from the paypal one:

from service@intl.paypal.com
to xxxx@gmail.com
date Thu, Sep 2, 2010 at 3:48 PM
subject Notification of Limited Account Access RXI033
mailed-by intl.paypal.com
signed-by intl.paypal.com

and the more detailed one:

Delivered-To: xxxxxxx@gmail.com
Received: by 10.216.162.66 with SMTP id x44cs53879wek;
Thu, 2 Sep 2010 07:48:33 -0700 (PDT)
Received: by 10.114.77.10 with SMTP id z10mr10478366waa.168.1283438893079;
Thu, 02 Sep 2010 07:48:13 -0700 (PDT)
Return-Path: <service@intl.paypal.com>
Received: from mx1.phx.paypal.com (mx1.phx.paypal.com [66.211.168.231])
by mx.google.com with ESMTP id b1si749453vcr.200.2010.09.02.07.48.11;
Thu, 02 Sep 2010 07:48:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of service@intl.paypal.com designates 66.211.168.231 as permitted sender) client-ip=66.211.168.231;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of service@intl.paypal.com designates 66.211.168.231 as permitted sender) smtp.mail=service@intl.paypal.com; dkim=pass header.i=service@intl.paypal.com
DomainKey-Signature: s=dkim; d=intl.paypal.com; c=nofws; q=dns;
h=Received:Date:Message-Id:X-country:X-language:
content-type:From:To:Subject;
b=Ctm9sWU6ggLbfBuJDilncZOfOZcw2eMbKPSW+GbPp2gr1CXg+1Wrv/aB
35kICKNJWzbXcgDD6/YX3Y2RSVFA0ywR8ibp1ajPXQU444fjQnVOnS8QI
O+u7uGFyIOWGDUVBk9AioEZFT4jLcf2GI80PeWm56lr9of1dJ2+yORuK/
M=;

Spear

acurno wrote: »

Still reckon something funny happened to my gmail. Couldn't log in using my password, gmail themselves said that they've noticed suspicious activity and they would need to send me a verification code to continue. Got a code on my phone, and had to change my password after following certain steps. All legitimate I'm certain.

Here's the details from the paypal one:

The Paypal one looks legit from that. Time to change all passwords and be watchful for the near future.

bhickey

Spear wrote: »

The Paypal one looks legit from that.

Google any part of the Paypal message and you'll see that it's a scam. For instance Google :

"Notification of Limited Account Access RXI033"

The links in the e-mail probably go to some strange places that look perfectly plausible but are in fact phishing sites.

Spear

bhickey wrote: »

Google any part of the Paypal message and you'll see that it's a scam. For instance Google :

"Notification of Limited Account Access RXI033"

The links in the e-mail probably go to some strange places that look perfectly plausible but are in fact phishing sites.

It came from an Ebay/Paypal MX server, an Ebay/Paypal assigned IP address, and passed the SPF check. It's an impressive forgery then since it involves compromising the Paypal mail server to send it.

bhickey

Acurno, are there any HTML links in the "Paypal" e-mail that you received and can you see if the link destination URL's appear genuine?

Also have you gone to www.paypal.com (i.e. by typing the address into your browser as opposed to clicking on any link in the e-mail) and actually logged in to your Paypal account since you got the e-mail. If so, were there any indications that your account has in fact been limited in some way?

bhickey

Spear wrote: »

It came from an Ebay/Paypal MX server, an Ebay/Paypal assigned IP address, and passed the SPF check. It's an impressive forgery then since it involves compromising the Paypal mail server to send it.

That is one way of looking it alright. But if you put your tin foil hat back on again then you could look at it another way. You might say that the OP's Gmail suddenly started acting strange and asked for verification - it even sent him a password to use. And what do you know when he logged in to "Gmail" he now coincidentally had an e-mail from "Paypal" which coincidentally is worded identically to scam Paypal messages that many others have received. Of course the headers would appear genuine if he's not actually in his Gmail account at all.

These phishing sites are bloody excellent at appearing to be what you'd like them to be and when it comes to an online banking or Paypal-type account you have to be ultra-paranoid and trust nothing - not even your own eyes.

Gavin

bhickey wrote: »

That is one way of looking it alright. But if you put your tin foil hat back on again then you could look at it another way. You might say that the OP's Gmail suddenly started acting strange and asked for verification - it even sent him a password to use. And what do you know when he logged in to "Gmail" he now coincidentally had an e-mail from "Paypal" which coincidentally is worded identically to scam Paypal messages that many others have received. Of course the headers would appear genuine if he's not actually in his Gmail account at all.

These phishing sites are bloody excellent at appearing to be what you'd like them to be and when it comes to an online banking or Paypal-type account you have to be ultra-paranoid and trust nothing - not even your own eyes.

So you reckon that the OP is connecting to a fake Gmail site, which is displaying fake emails ? Not just that, but the fake gmail site would have to be a facade for the real gmail site, otherwise of course the OP would notice the lack of his own emails. And that facade is then modifying the displayed emails headers of specific emails from paypal. AND that they went to the effort of texting a password (spending money to do so) to the OP. That's pretty convoluted and highly unlikely.

bhickey

Gavin wrote: »

That's pretty convoluted and highly unlikely.

You don't give these phishing crowds nearly enough credit. They are very well resourced and brilliant at what they do. If they somehow get your original gmail login details then all the above is definitely possible (especially if the prize at the end of the day is access to people's Paypal accounts). "Convoluted" is easy for these people and "highly unlikely" still isn't nearly safe enough for your financial security. So people have to be extra careful when odd things like this suddenly start to happen.

Gavin

To the OP,
You can't trust your current computer. From a separate, trusted machine, log into gmail. change the password again and change your paypal password.

Your password was stolen via a trojan, most likely. This is either on your personal computer, or some other computer you have used recently. If you have not used paypal from any other computers, your own must be infected. Try a few different antivirus products to track it down, microsoft, malware bytes etc

If you still can't find it, and you are positive that you didn't access paypal from another machine, the only way to be certain is a format and re-install. Otherwise it will just steal any new password you use.

acurno

Cheers for all the advice now. I'm really worried about the computer now.
No I haven't logged into paypal yet at all I don't want to risk it.

I've another laptop here so I'll log on with that and change passwords.
I've a mate who works in microsoft who's gonna update my computer next week anyway so I'll wait until he has a look before I do anything else with it.

Thanks,
Alan