Akaun email GMail yang DIGODAM dan domain yang ditukar

Sesiapa yang ada email GMail pastikan di bahagian 'settings' dan kemudian --> di bahagian 'Filters' dan 'Forwarding and POP/IMAP' tidak terdapat sebarang penambahan yang tidak anda pernah lakukan. Jika tidak terjadi seperti pengguna di bawah ini yang domainnya telah dihijack.

Jika terdapat sebarang perubahan sila pastikan anda menukar semua password atau apa sahaja dokumen penting yang perlu dilakukan. Walau bagaimanapun masalah ini telah dibaiki oleh pihak Google. Cuma pastikan email anda telah betul-betul bebas.

Gmail Hacked! Check your Gmail filters now!
David Airey has lost his domain after his Gmail account was hacked by a hacker. But how did the criminal can take down David’s domain? You can read the full story here but if you want to know how the attacker did it, please read on.

First, the victim login to his Gmail account as normal. Then he visit to a website which contains a script that exploiting the vulnerability in Gmail. This script will create a new filter in the victim’s email. Like in the example above, the script creates a filter that will forward any email that has attachment to collect@evil.com.
But how about if the filter is set to forward all incoming emails to the attacker email? Do you will happy losing all your secret and passwords to the attacker? Of course you are not.
I have checked my filter settings in Gmail. Know what? There is a filter that forward incoming emails to *@colmac.com. I was shocked and removed it immediately. I do not know since when the filter was added and how many emails the guy at colmac.com had read. I hope they are happy what they are doing.
If you using Gmail, check your Gmail filters now. Who knows, maybe you are lucky and get strange filters in your Gmail settings. However, Google has fixed this problem but you are still be advised to check your filter settings.
WARNING: Google’s GMail security failure leaves my business sabotaged

Published on December 24th, 2007
GMail hacked
What would you do if a criminal stole something very personal, and very valuable from you?
What if they were able to target your business and criple your income?
You wouldn’t be too happy now, would you?
What if you also discovered that this was happening because of a Google security infection that can affect every GMail user on the planet?

That’s what has just happened to me, and here I’m going to tell you my story. I will detail everything I know about the web pirates who are threatening my livelihood, and tell you what you need to know in order to avoid the same thing happening to you.
On November 20th 2007 I left the UK to spend a month’s holiday in India. I’d been planning this break for over a year, and was looking forward to taking my girlfriend away on our first foreign trip together. Prior to leaving, I published a blog post to let my readers know I’d be away for a while, and that my blog would be a quiet place in my absence.
All my clients were informed, bills paid, loose ends tied up, and off I went on a new adventure.
I arrived in Mumbai on November 21st, and on the journey from the airport to the Colaba district, was punched in the face by an Indian youth, but that’s another story.

During the month ahead, I knew I’d be irregularly checking my emails, but only to let my loved ones know everything was fine. This holiday was to be a break from work, and a break from computers.
Indeed everything was fine for a few weeks, until December 15th (five days before I was due to return from holiday). I called into an internet caf� in Goa, and read some worrying emails from good friends of mine. I was informed that my website had disappeared, and that my domain name (www.davidairey.com) was now redirecting to some random website - bebu.net.
I was confused, and anxious. How could this happen? I hadn’t received any notification of my domain name expiry, and I never divulge any passwords to anyone. The only possible explanation for me was that somehow, the domain name had expired without me receiving any notice, and that some domain poacher had snapped it up before I got a chance to renew.
My website had been pulling in over 2,000 unique daily visits. Not a massive amount by any stretch of the imagination, but for a one-man operation, 700,000+ annual visitors can generate a nice amount of new logo design business.
So I ran a WHOIS check on davidairey.com, hoping to find an email address for the new owner. The search yielded this email address: DAVIDAIREY.COM@domainsbyproxy.com and here’s the email I sent:

Please can I purchase my old domain name from you. It seems it expired without my knowledge.
Kind regards,

I found it hard to believe that I’d let my domain name expire, but thought it a good idea to send an email nonetheless.
On the very same day, I received a reply. It came from one supposed Peyam Irvani, telling me the following:

Please send me your high offer !

By this stage, I’d already had some back and forth email discussions with close friends, wondering what exactly could have happened. I also contacted my web host company, ICDSoft, asking them to help. They were the ones who sold me the domain name after all. Shouldn’t they have informed me?
This is when I found a disturbing support ticket, posted in my web host support panel. It was supposedly from me, addressed to ICDSoft’s support team, and was created on November 20th, the exact date of my departure from the UK. It read the following:

Subject: Davidairey.com Transfer
I want to transfer davidairey.com to another registrar please unlock it and send me the EPP transfer code.
Kind regards,

Within just one minute (ICDSoft’s support team are very fast) the following response had been supplied:

We unlocked your domain name as requested. Here is its EPP code:
Domain name: davidairey.com
Auth/EPP key: 6835892AE0087D66
Best Regards,

I immediately typed a reply to this ticket, asking for help, and wanting to know what I could do to resolve the situation. Here’s what I was told by the support team:

Unfortunately, the domain name has been transferred successfully, and it cannot be reverted. The current registrar may be able to give you more information.
The original ticket message was sent from this IP address:
The person who posted it must have had access to your email, too, because transfers have to be approved by the administrative contact in order to be successful.

What? Not only did the hacker gain access to my web host control panel, but they also squirmed their way into my email account? This is when I began to get very worried. I kept a lot of personal emails behind my username and password, and this was a real invasion of privacy. For a few minutes I sat in the net caf�, my girlfriend beside me, and I didn’t know what to think.
I sent an email to GoDaddy, where my domain had been illegally transferred to, and asked them to prevent any further transfers. I wanted the domain in one place whilst I investigated. Here’s what GoDaddy said:

Unfortunately if a transfer request is made and completed we will not be able to prevent this unless we receive the notice from a court or arbitration forum… I apologize for any inconvenience this may cause.

Okay, so GoDaddy can’t help until the matter is taken to court.
This whole process ran over a few days of my holiday, as GoDaddy took over 48 hours to respond. At this point, and on December 19th (four days after my first email to the web pirate, ‘Peyam’), I thought I’d send a reply, and here’s what I said:

Hello Peyam,
Well, congrats on your hack. I’d love to know how you did it.
Before this moves through the courts, in order to settle the dispute, I don’t suppose you’d be so kind to give me my domain back? It’d really save me a lot of hassle, but if that’s what it takes, so be it.

I saw no point in being aggressive, wishing to keep them ‘on-side’ as much as possible.
Again, that same day, I received a response:

Im sorry to say but its not possible to have it or it take about 1 month if you try hard to have it again :)) and you lose your visitor ….hahaha
You can purchase it for 650 $ And we will use escrow sevices ;) that will done in less than 2 days !

Now my domain name was being held to ransom, and the hacker was taunting me. What I had spent more than a year building into a sound marketing plan had been severed at the knees.
I’m not the type of person who will hand any money over to a criminal, so I didn’t reply, instead focusing on stopping this hacker from stealing any more of my property.
How was I being hacked?
After a little research, I found this expos� into Google’s GMail defficiences: Google GMail E-mail Hijack Technique
It details the exact GMail hijack that I have just found applied to my account (right whilst writing this blog post).
Here’s an excerpt:

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim�s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

And here’s a three step illustration of just how this threat works (click each image for a larger version):
GMail security threat
GMail security threat
GMail security threat
Images courtesy of GNUCITIZEN
I took a look at the ‘Filter’ option in my own GMail settings, and it turns out that you can easily set incoming emails containing specific words to be forwarded automatically. For example, if you want any emails containing the word password to be sent to another address, no problem. It also appears that the Filter can delete the email from your GMail inbox as soon as it has been forwarded, so you’d be none the wiser if a hacker was playing havoc with your incoming mail.
IMPORTANT: If you use GMail, it’s absolutely vital that you check your account settings now.
Here’s what to do:
When logged into GMail, click on the ’settings’ tab in the upper right of the screen. Then check both the ‘Filters’ and the ‘Forwarding and POP’ sections. This is what I only just found in my ‘Filters’ tab:

The following filters are applied to all incoming mail:
Matches: transfer-approval.com
Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it
Matches: from:(transfer-approval.com)
Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it

I have absolutely no idea who’s email address that is, but it seems to me that some of my personal emails were bypassing my inbox entirely, instead being forwarded to the yahoo.com address.
It appears that the GMail security issue is fixed, but that won’t remove any previously installed Filters from your GMail account.

1 comments so far

What a truly great piece of writing!!