Welcome to WebmasterWorld Guest from 184.108.40.206
Anyone got any ideas how this happened?
did you give anyone a password to another account, where it was the same as your GA account?
could have been a brute force attack... someone sitting there for hours trying to hack it, or a small program.
do you use a wireless connecion while administering this account?
It could have been brute force or a program - the password wasn't particularly strong - that seems the most likely method so far.
No I don't use a wireless connection for this account.
Is it possible the info could have been picked up somewhere else? Can't think where though... Google's servers couldn't have been hacked could they :-)
I ask because this seems like quite a common problem and I thought someone might have worked out how it was done.
Brute force would be my most likely guess given how savvy you seem and given the fact that you've checked it. Just keep an eye out for any more suspicious activity so that you can catch it if if happens again.
I keep saying - there should be some flags that we can set so that we're notified in case of unusual activity in an account. I might want to be notified if my budget suddenly increases over some amount I specify. I might want to be notified if someone accesses the account at some unusual time of day. I might want to be notified if new campaigns are created. I might even want to be notified if someone logs in from IP numbers other than what I specify. Heck, I don't even mind if you notify me by text message to my cell phone - I already have notifications set up in case any of our servers or connections go down.
And these flags that I set - they should be verified by PIN number, like they verify AdSense accounts or Google Local Business listings, so the miscreants can't just break in and change them.
In my book, it'd be worth it.
i dont know if somehow they got a receipt when he opened it or what... but i think they are getting some form of confirmation that the email is valid and exists so they can attack that account...
prior to that im sure they are clicking the ad that are taking them to the site, and i would think it only takes a little investigation to find out the email address...
half the time the webmasters email address is the same as his/her gmail address...
he is in the process of trying to track the origination and location of the email, but not working out to well..
I don't know if its possible, just throwing it out there.
you see a google ad right. maybe not a multi million dollar business, more of a guy/gal like us with a couple hundred dollars budget each month (a thousand if you are in that realm).
you click that ad, find a online store or a site that has services or goods to purchase online.
you think, this looks like a small, but decent spot to "jack" some funds...
click the ad. takes you to yourdomain.com/landingpage/
looks decent enough.
you may or may not have a contact me link... i.e.
<a href="mailto:email@example.com">Contact Me</a>
lets say you do, or your email address is visible.
Bam... we have an email address to work from.
knowing you have to have a gmail account to use google services, they can try to email to various accounts of that name...
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
whatever doesnt get bounced is recognized as a good email address right?
now its time to run my brut force attack against that adwords account...
again, good brut force software can crack a weak password anywhere from 2 minutes to 14 days... and if you arent logging in for months, you wouldnt event notice.
just my 2 cents.
Google indicated that the hacker used my email and password. Similar setup to the OP here. Quite secure. Only I have the password. However, the password was fairly simple, since changed.
Be careful out there.
I spoke to mastercard about this, and because of the size, it would be turned over to fraud department, and the charge itself can't be disputed. And then...police, who knows.
I'm still waiting for google to fulfil its promise so we don't have to get law enforcement involved.
People NEED to pay attention to this stuff. It is happening, we have no explanations, and cleaning up the mess is...ugh. Still can't advertise since the account is locked until the refund is issued.
Either that, or Google needs to start issuing key fobs like VPN systems frequently use.
using an 11 character password with Upper Case, Lower Case, Number and Character it would take a good brute force attack over 8000 years...
easy to remember but is going to take a while to crack.
in my opinion you shouldnt have to rely on software to keep changing your passwords... you have the ability to keep them out yourself. just have to get into the habit of implementing this tactic.
I do not think someone just got your login details out of the blue or used brute force attack on your google account. One or another way they the info must be published over the internet.
Clickjacking perhaps? IFrame injections? CSRF in general, do you block active content and cookies when you browse over the internet? For instance just a single jscript can infiltrate your browser and transmit all kinds of info over the web or become a real-time keylogger. Doesn't take much for the problem to occur. Reversing the effects can be a nightmare.
Also antivirus software scans mainly your drive for infected files and the pc memory for known signatures. Jscripts is a real headache because they can bypass these programs. If there is no restriction on the browser end or via a firewall, active content may run uncontrolled.
Anyways, regardless of browser I prefer to block everything unless I visit a site that I really trust, to reduce the risk of exploits via browsers. You may also have the other issue with the application plugins as browser are patched automatically nowdays the plugins that open specific resources eg: pdfs or zip files aren't. It is another area someone could take advantage of security holes.
I am also not sure if you can find traces of this within the browser because depending on the settings, the history, cookies, etc, maybe erased once the browser closes. Memory allocated by the application is also released and subsequently cleared.
Some firewalls have build-in mechanisms to eliminate some of these exploits but I don't believe default settings are set to block active content. Neither the browsers do that by default.
I found it strange for browser development that so much effort is placed for secure certificates and secure pages with all these security locks and green labels at the top and bottom of the window and yet they completely ignore the issues that may arise from active content or cookie hijacks. They just have them running by default.