Question

GMail Hack with 2-Factor Auth enabled

  • 27 October 2019
  • 2 replies
  • 155 views

Badge +1

I posted the following on another tech forum:

 

I have my business email on GMail. I use 2-factor authentication for access to said business email. I access my business email from 2 computers and 1 mobile Android device. I do not use Outlook or any email client I access it solely through the web browser. I run Webroot AV on both computers and have run MalwareBytes, Hitman Pro and Sophos Virus Removal tool with 0 hits on all.

Yesterday, spoofed emails of my business email account originating from all over the world were sent out to my customers with an attached, password protected file that was a virus. In itself this is not unusual, however, each of the emails was a actual reply from a valid email I had received previously. I immediately looked at my google account settings and verified 2-factor auth, I looked at the devices that were using my email and could verify each one. I could find no proof that someone had gained access to my email other than myself.

Does anyone have any suggestions on where I should look for this breach? I am at a loss and dreading a second round of emails going out.

 

One of the answers I received was possibly a MiTB attack.  I use Chrome browser exclusively and the only variant I could find that affects Chrome is Tatanga, which is from 2012.  I find no reference to Tatanga on the Webroot forums.  Can anyone tell me if Webroot protects against this MiTB attack?

 

While we are at it, can anyone come up with another suggestion on how my email was accessed?


2 replies

Badge +10

I posted the following on another tech forum:

 

I have my business email on GMail. I use 2-factor authentication for access to said business email. I access my business email from 2 computers and 1 mobile Android device. I do not use Outlook or any email client I access it solely through the web browser. I run Webroot AV on both computers and have run MalwareBytes, Hitman Pro and Sophos Virus Removal tool with 0 hits on all.

Yesterday, spoofed emails of my business email account originating from all over the world were sent out to my customers with an attached, password protected file that was a virus. In itself this is not unusual, however, each of the emails was a actual reply from a valid email I had received previously. I immediately looked at my google account settings and verified 2-factor auth, I looked at the devices that were using my email and could verify each one. I could find no proof that someone had gained access to my email other than myself.

Does anyone have any suggestions on where I should look for this breach? I am at a loss and dreading a second round of emails going out.

 

One of the answers I received was possibly a MiTB attack.  I use Chrome browser exclusively and the only variant I could find that affects Chrome is Tatanga, which is from 2012.  I find no reference to Tatanga on the Webroot forums.  Can anyone tell me if Webroot protects against this MiTB attack?

 

While we are at it, can anyone come up with another suggestion on how my email was accessed?


They could have used a 0 day exploit in a website to infect people and when they did what they wanted, auto destroy itself

Userlevel 5
Badge +13

Hey @plb2000 ,

Any luck finding out what happened here? I’m curious if your post(s) in other forums led to any significant findings.

-Keenan

Reply