| 4:30 pm on Nov 17, 2008 (gmt 0)|
did you give anyone else the PW? either recently or a while ago.
did you give anyone a password to another account, where it was the same as your GA account?
could have been a brute force attack... someone sitting there for hours trying to hack it, or a small program.
do you use a wireless connecion while administering this account?
| 4:40 pm on Nov 17, 2008 (gmt 0)|
No I never give any passwords to anyone. If I had to for any reason I would always create a temp one for the purpose. Also I'm very security-aware so don't fall for phishing emails or anything like that.
It could have been brute force or a program - the password wasn't particularly strong - that seems the most likely method so far.
No I don't use a wireless connection for this account.
Is it possible the info could have been picked up somewhere else? Can't think where though... Google's servers couldn't have been hacked could they :-)
I ask because this seems like quite a common problem and I thought someone might have worked out how it was done.
| 4:43 pm on Nov 17, 2008 (gmt 0)|
I'd make sure your passwords have letters and numbers from now on and don't have just a dictionary word in them.
Brute force would be my most likely guess given how savvy you seem and given the fact that you've checked it. Just keep an eye out for any more suspicious activity so that you can catch it if if happens again.
| 6:26 pm on Nov 19, 2008 (gmt 0)|
email fishiing attack are responsable for a lot of these account hacks.
| 11:50 pm on Nov 19, 2008 (gmt 0)|
I'd be surprised if people who are savvy enough to run Adwords accounts would fall for phishing emails, but you could be right I suppose. Not in my case though.
| 3:21 pm on Nov 20, 2008 (gmt 0)|
I don't know how these come about, but they really need to be addressed - I can just imagine how much time they are spending chasing down fraud like this (and we only see a fraction of these reports here, I'm sure)
I keep saying - there should be some flags that we can set so that we're notified in case of unusual activity in an account. I might want to be notified if my budget suddenly increases over some amount I specify. I might want to be notified if someone accesses the account at some unusual time of day. I might want to be notified if new campaigns are created. I might even want to be notified if someone logs in from IP numbers other than what I specify. Heck, I don't even mind if you notify me by text message to my cell phone - I already have notifications set up in case any of our servers or connections go down.
And these flags that I set - they should be verified by PIN number, like they verify AdSense accounts or Google Local Business listings, so the miscreants can't just break in and change them.
In my book, it'd be worth it.
| 3:29 pm on Nov 20, 2008 (gmt 0)|
The one thing that confuses me here is that besides the password the hackers also have to know that one actually has an AdWords account and also the login email addy. I might be a bit slow on the uptake, but how do they come up with this info in the first place?
| 3:36 pm on Nov 20, 2008 (gmt 0)|
this is where i think my friends account got hacked... he was getting phishing emails in his google account...
i dont know if somehow they got a receipt when he opened it or what... but i think they are getting some form of confirmation that the email is valid and exists so they can attack that account...
prior to that im sure they are clicking the ad that are taking them to the site, and i would think it only takes a little investigation to find out the email address...
half the time the webmasters email address is the same as his/her gmail address...
he is in the process of trying to track the origination and location of the email, but not working out to well..
| 3:58 pm on Nov 20, 2008 (gmt 0)|
The phishing for adwords accounts is pretty-sophisticated. If you weren't paying attention you could easily click one and sign in.
| 4:05 pm on Nov 20, 2008 (gmt 0)|
You would have to click on a link in an email though which is something I personally would never do. Besides my Adwords account was pretty dormant - I hadn't logged in for months.
| 4:39 pm on Nov 20, 2008 (gmt 0)|
Do you use the same email/password for any other sites?
| 4:52 pm on Nov 20, 2008 (gmt 0)|
Yes, a few. A couple of shops - that kind of thing.
| 5:47 pm on Nov 20, 2008 (gmt 0)|
Any new toolbars or updates lately? the open source pendulum swings both ways, some good...and some very very bad. I might be overthinking here, but what if someone updated a genuine open source toolbar with some malicious key-logging code.
I don't know if its possible, just throwing it out there.
| 8:32 pm on Nov 20, 2008 (gmt 0)|
Well think of how you would try something like this...
you see a google ad right. maybe not a multi million dollar business, more of a guy/gal like us with a couple hundred dollars budget each month (a thousand if you are in that realm).
you click that ad, find a online store or a site that has services or goods to purchase online.
you think, this looks like a small, but decent spot to "jack" some funds...
click the ad. takes you to yourdomain.com/landingpage/
looks decent enough.
you may or may not have a contact me link... i.e.
<a href="mailto:email@example.com">Contact Me</a>
lets say you do, or your email address is visible.
Bam... we have an email address to work from.
knowing you have to have a gmail account to use google services, they can try to email to various accounts of that name...
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
whatever doesnt get bounced is recognized as a good email address right?
now its time to run my brut force attack against that adwords account...
again, good brut force software can crack a weak password anywhere from 2 minutes to 14 days... and if you arent logging in for months, you wouldnt event notice.
just my 2 cents.
| 8:39 pm on Nov 20, 2008 (gmt 0)|
|knowing you have to have a gmail account to use google services, they can try to email to various account of that name... |
I have access to Adwords accounts that are not gmail emails, so that is not true.
| 8:46 pm on Nov 20, 2008 (gmt 0)|
my mistake. you are correct.
i was thinking analytics?
in any case, either finding your regular email address or gmail email address wouldnt be terribly hard.
| 11:42 pm on Nov 20, 2008 (gmt 0)|
I was hacked beginning of October, to the tune of 7,000 or so, and also promised a refund. It's now almost the end of November and I'ms still on the hook for the money, not having received the money.
Google indicated that the hacker used my email and password. Similar setup to the OP here. Quite secure. Only I have the password. However, the password was fairly simple, since changed.
Be careful out there.
I spoke to mastercard about this, and because of the size, it would be turned over to fraud department, and the charge itself can't be disputed. And then...police, who knows.
I'm still waiting for google to fulfil its promise so we don't have to get law enforcement involved.
People NEED to pay attention to this stuff. It is happening, we have no explanations, and cleaning up the mess is...ugh. Still can't advertise since the account is locked until the refund is issued.
| 1:10 am on Nov 21, 2008 (gmt 0)|
It is very difficult; almost makes you feel that a 'password changing' service would be worthwhile. Something to update your password every 5 mins, with a encrypted application to retrieve the current password for you at any given time.
Either that, or Google needs to start issuing key fobs like VPN systems frequently use.
| 3:08 pm on Nov 21, 2008 (gmt 0)|
I know its such a hum drum to remember all of our passwords, but when it comes to your money...
using an 11 character password with Upper Case, Lower Case, Number and Character it would take a good brute force attack over 8000 years...
easy to remember but is going to take a while to crack.
in my opinion you shouldnt have to rely on software to keep changing your passwords... you have the ability to keep them out yourself. just have to get into the habit of implementing this tactic.
| 3:33 pm on Nov 21, 2008 (gmt 0)|
There are explanations for many of these things but most people do not see them as threats in the first place or they may not be aware and that's a problem.
I do not think someone just got your login details out of the blue or used brute force attack on your google account. One or another way they the info must be published over the internet.
Clickjacking perhaps? IFrame injections? CSRF in general, do you block active content and cookies when you browse over the internet? For instance just a single jscript can infiltrate your browser and transmit all kinds of info over the web or become a real-time keylogger. Doesn't take much for the problem to occur. Reversing the effects can be a nightmare.
Also antivirus software scans mainly your drive for infected files and the pc memory for known signatures. Jscripts is a real headache because they can bypass these programs. If there is no restriction on the browser end or via a firewall, active content may run uncontrolled.
| 4:17 pm on Nov 21, 2008 (gmt 0)|
Is it possible to tell if you have unwanted jscripts running - presumably there must be a way of detecting them? Wouldn't a firewall stop them?
| 5:30 pm on Nov 21, 2008 (gmt 0)|
Each browser has its own security settings for this purpose. But I don't know how you can foretell whether a jscript is safe or not without checking the code something that is not practical. There are plugins for some like Firefox where you can selectively allow active content to run from sites you trust.
Anyways, regardless of browser I prefer to block everything unless I visit a site that I really trust, to reduce the risk of exploits via browsers. You may also have the other issue with the application plugins as browser are patched automatically nowdays the plugins that open specific resources eg: pdfs or zip files aren't. It is another area someone could take advantage of security holes.
I am also not sure if you can find traces of this within the browser because depending on the settings, the history, cookies, etc, maybe erased once the browser closes. Memory allocated by the application is also released and subsequently cleared.
Some firewalls have build-in mechanisms to eliminate some of these exploits but I don't believe default settings are set to block active content. Neither the browsers do that by default.
I found it strange for browser development that so much effort is placed for secure certificates and secure pages with all these security locks and green labels at the top and bottom of the window and yet they completely ignore the issues that may arise from active content or cookie hijacks. They just have them running by default.