Drug-Dealing Spammers Continue to Bypass Gmail's Spam Filtering System
Do you ever get spam emails that offer drugs such as Cialis, Viagra or even Levitra for ridiculously discounted prices? Even if you did need these drugs, the prices sometimes seem too good to be true and that's because they are.
According to Commtouch's 2010 quarterly Internet Threats Trend Report, pharmaceutical spam, advertising Viagra and other types of medications, represented 81% of all spam messages.
We were forwarded a spam message that came through Gmail and claims to offer Viagra, Cialis and Levitra from a pharmacy called "Green Line" (show in Figure 1. below). The spam message is poorly formatted and came from a hacked AOL account. The email was interesting because it illustrates a weakness in Google's algorithms for filtering spam.
Not only is this a scam, but I clicked on one of the advertised drugs in the email, and I was redirected to a fake online pharmacy site. Not to mention, pill mills are actually illegal and taking any type of medication without physically consulting a doctor is just plain dangerous. The site looks legitimate (shown in Figure 2. below) and potentially inviting if you are in the need for any of the drugs that they supposedly sell. Hackers are in the business of developing very convincing websites that look professional to the untrained eye which is why so many gullible computer users fall for the scam.
Figure 1. Spam email message offering drugs from fake online pharmacy web site.
Figure 2. Suspected fake online pharmacy web site.
Hovering over the email shown above in Figure 1. will reveal the domain uk.izeged.zuchurazaps(dot)com but by clicking on the image/link it automatically redirected me to the domain parathesosenu(dot)com. This is a common scenario with spam emails that have embedded links. Here's a list of other domains that come from Green Line Pharmacy spam:
Commonly spammers will use misspelled word to bypass spam filters as shown in Figure 3. Below. Because the words are misspelled they do not match what a spam filter looks for such as a common phrase found in spam messages. If the phrase or series of words is misspelled, then the filter will not pick up on it. Basically, spam filters look for the correctly spelled word(s).
Figure 3. Poorly formatted text in spam email message. Click image to view larger size.
How did the Gmail spam message get through Google's spam filtering system?
Possible Gmail-based pharmaceutical spam scenarios could be...
- Spammers create fake Gmail accounts in order to trick Gmail's spam filtering system and to give the impression of a legitimate source.
- Spammers break into legitimate Gmail, Hotmail, and Yahoo accounts, often compromised after phishing attacks or via malicious programs, steal users' Contact list to send spam to other non-hacked email accounts, and log in from a hacked computer. The compromised Gmail accounts and computers become spam-spewing zombies.
- Spammers use real, compromised Gmail accounts but, instead of using hacked computers to log into the Gmail accounts, they use Gmail's mobile interface to send the spam via a mobile phone internet connection.
How easy is it for spammers to hack your Gmail account?
For a determined spammer hacking into several Gmail accounts can be a relatively easy mission. If you search on Google for "hack Gmail account" there's tons of results on websites that offer guides on how to hack Gmail accounts so even an amateur hacker can attempt to hack Gmail accounts. Even though Google takes security very seriously, there are still weaknesses within the Gmail service.
Phishing attacks are one popular method used to hack into Gmail accounts. By using password-stealing Trojans, a hacker can send an individual a fake Gmail page where they enter their login information and unknowingly send their login credentials back to the hacker.
Hackers may use a snooping tools to hack into a Gmail account. These tools use a "man-in-the-middle" approach method by snooping unencrypted data with a cookie. A cookie is used by Gmail by default in most instances except login. These tools make it possible for a hacker to monitor traffic on a network and insert an image from mail.google.com which will force your browser to send the cookie file and reveal your session ID. The hacker can then log into your account with a required password. Computer users using public networks or Wi-Fi hotspots are most vulnerable to this type of attack.
Hackers can also take a hacked Gmail account and setup Gmail to filter out certain messages by keywords and divert them to another email recipient. Hackers usually are able to do this without any notice to the owner of a specific Gmail account. Once a Gmail account is compromised by a hacker, it could be used to divert virtually any information to a pre-set email account through the settings which may result in financial information being stolen. It only takes a few clicks within the settings of Gmail to set up these keyword filters. A hacker could easily use the word 'banking' or 'account' to obtain logins for your online banking. Once a user discovers fraudulent activity, then it may be too late.
Signs that your Gmail account was hacked
Usually the first trace of a hacked Gmail account is when an unknown email is found in the Sent Mail or Trash folder which was not sent by the Gmail account owner. Below are several other signs your Gmail account was hacked.
- You receive an email allegedly from Gmail that asks you to verify your account by downloading an attachment to continue the verification process and providing personal information like your password. After verifying your account through the fake Gmail notification, you can no longer access your Gmail account.
- A considerable amount of emails were sent from your account to people from your Contacts list. The emails had links to fake pharmaceutical or malware-ridden sites. Thus, people from your Contacts list are reaching out to you to complain of not being able to access their Gmail accounts after falling for the email spam that came from you.
What to do after your Gmail account has been hacked?
Step 1: Check the Trash or Sent Mail folder for suspicious emails
If you suspect that your Gmail account has been hacked, the first step to take would be to check the Sent Mail folder to see if any peculiar emails that you do not recall sending out. Also, look at the Trash folders because hackers may delete the suspicious email from the Sent Mail folder. It is a good idea to keep track of these folders for suspicious emails since a hacker may be in the habit of sending your valuable information to another email address.
Step 2: Regularly keep track of your Gmail Activity Monitor
The next step is to check the bottom of your account to see if it is open at any other locations. This is a built-in feature that Gmail provides so that you may allow or sign-out other login sessions for access to your Gmail account.
Step 3: Change your Gmail password
Even if you do not notice any others logged into your account at the present time, you should take immediate action to change your Gmail password. To change your Gmail password, go to Settings > Accounts and Import > Google Account Settings > Change Password.
Step 4: Check and fix the following Gmail settings that may have been tampered with by the hacker
- Change the password recovery option:
Open your Gmail Account > go to Settings > Accounts and Import > Google Account Settings > Change Password Recovery Options.
- Check to make sure nothing has been added to your signature or vacation responder
To check Signature option: Go to Settings > General > Signature.
To check Vacation Responder option: Then go to Settings > General > Vacation Responder.
- Double check that you are using your correct email address
Go to Settings > Accounts and Import > Send Mail As.
- Check for filters that forward or delete email
Go to Settings > Filters.
- Check your disabled or correct address for Forwarding, POP Download and IMAP Access
Go to Settings > Forwarding and POP/IMAP > select the appropriate email type.
Step 5: Be proactive and check banking accounts you've linked to your Gmail account for any unusual activity
It may also be a great time to be proactive by checking your banking accounts or contacting your financial institution advising them of the situation.
Be wary of any suspicious emails that request personal information
Giving your credit card number or personal information to a website such as the online pharmacy in Figure 2. above puts you at an immediate risk of fraudulent activity on your account or even worst, lead to identity theft. It is highly suggested that computer users be on the lookout for emails that resemble the one we posted above in Figure 1. If you need these drugs that bad it may be best to pay a lot now from a legitimate source rather than pay a lot later because you gave a hacker your credit card information.