Account Hacked

munchings-n-crunchings

Woke up this morning to find the work email had been hacked, passwords change, recovery account changed and security question changed.
Along with that, an online purchase was made, using google checkout, and the business debit card number.

I've run 2 different Malware programs, Kaspersky and Malwaewbytes, and neither have picked up anything.
Security is AVG 2013 paid version.

I've spoken to the company where the online purchase was made, and they have suggested I contact google checkout. The order has been cancelled by google without me doing anything.
Who ever made the purchase, has given a delivery address which has now been given to the police, and the card has been stopped.

How do I now proceed? as I can't find out how we've been hacked?

Many thanks

Claire

Lifeforms

How strong was the password? Could just be a case of guesswork gained entry.

Considered it might be inside work if all the answers could be changed, or either it's just answers too obvious. DOB, dogs name, maiden name etc. Where was the account? linked with a domain name, or something like gmail?

Basically you need to change everything that has a password to. Check outs, bank accounts, email accounts, and maybe even things like wifi passwords to start on an even scratch, as long as you know all machines are secure/virus/malware free.

munchings-n-crunchings

It was a gmail account, not linked to an domain or website.

I work for 2 bosses, neither would know where to start on changing passwords etc.

My personal email account was the recovery email address for the business gmail account.
I have just received an odd email from TalkTalk regarding my password email setup. I'm wondering if this has been hacked as well!
I have not been with TT for 18 months, but the email name originates from them, a former Tiscali one.

Just ran an AVG scan, which hasn't picked up anything,

Carl31

I dont think it was virus related, someone must have obtained your passwords, have you had any potential phishing emails lately?

If it helps, i had warnings over the weekend about soneone trying to access my google account from malaysia

Lifeforms

Disable your current antivirus, and use this online one
http://housecall.trendmicro.com/uk/index.html
Remember to re-enable the installed one after. Follow the instructions (if you already haven't) for running malware checks, so do malwarebytes, you could also try Spybot search and destroy. none of these need to be running after, so could be disabled, or removed. Update them all before scanning.
Once you're sure your computer is clean (and i know you've said 1st post that it was, but try the antivirus, and spybot on top) then:

Change your own personal email accounts password and security questions as well as the companies one. Make them harder to guess, not obvious, and if possible something that very few people would know. If you need to, for the moment, write them down, but do not write them down on the computer itself!

Unlink any cards with google checkout (they can be added as and when needed) to stop any further payments being made, and I'd also suggest that the card is cancelled and a new one with new information is gained by the company. So different numbers on the end/and/or new security code on the back, with end dates on it. Avoid keeping any cards linked for long periods to anything for "ease of use". Makes it too easy to be used when things like this happened. Be worth it also to inform the bank that a fraudulent payment was made, when requesting a new card.

Consider moving your own personal email account away from an ISP and use it with something like gmail. This just makes it easier to move your own account if/when ISP decides to close it down, and I do sometimes wonder about security of having isp and email linked. But this is down to my own paranoia


It's about trails, which is why you need to change your own passwords too. Because your personal address will show up in the company account as a recovery, and maybe be linked to getting access.

You ideally should scan any computer linked with the accounts.

kwikbreaks

I'll agree with Carl31 - getting caught by a phishing email is the most probably cause.

munchings-n-crunchings

Lifeforms wrote: »

Consider moving your own personal email account away from an ISP and use it with something like gmail. This just makes it easier to move your own account if/when ISP decides to close it down, and I do sometimes wonder about security of having isp and email linked. But this is down to my own paranoia

My personal email address is xxxx@tiscali.co.uk, but I never access it through the TalkTalk website. There was a period about 18 months ago where former tiscali customers were locked out of the accounts, so since then, I've collected emails thru gmail. Which makes the TalkTalk email from last night seem more suspicious.

I've not had any phishing emails for quite sometime. Depending on what they are, I either delete straight away, or I forward them to the spoof email dept at the organisation concerned.

I've done the Housecall check, and that it coming back clear. I can't as yet check google checkout any further, as it's now suspended awaiting validation, well it can stay like that for a while!

securityguy

Google offer two factor authentication for gmail. It doesn't have to use SMS, so you don't have to give Google your phone number if for some reason that bothers you. There is no conceivable reason why you wouldn't turn it on.

ChiefGrasscutter

According to this page.....you do indeed need to give google your/a phone number as this is indeed how Gmail two step verification works - it sends the challenge via voice, text or via the mobile app
http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744

securityguy

ChiefGrasscutter wrote: »

According to this page.....you do indeed need to give google your/a phone number as this is indeed how Gmail two step verification works - it sends the challenge via voice, text or via the mobile app
http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744

The mobile app doesn't require them to have your mobile number, though. The page you link to says "sent" because it's marketing stuff, and explaining how it works is probably too much like hard work (the "authenticator" app isn't sent anything during authentication).

Google need to have, as you say, a phone number you can be contacted on during enrolment. I'm not entirely sure why that is. But you can use any phone --- even, if you're really paranoid, a callbox, or some random PAYG phone --- to do that. They don't need your main mobile phone number. I gave them my home landline, because that also offers a way to recover access if something really bad happens. I struggle to see why I would worry about giving them that.

I'm not entirely sure why it would be a problem even if they did, as it happens. Facebook two-factor requires your "live" mobile number, and I have my children enrolled for that because Facebook having their phone numbers (so what?) is massively better than the alternatives (their accounts being accessible to anyone who has their password).

Security's about balancing risk. And for gmail accounts, two-factor authentication is so massively beneficial that it outweighs vague feelings of unease about phone numbers ten times over.

Gunstar

I agree with the few above. Most likely phishing.

An email went around a few days ago asking to agree to new Google TOS, it requested you enter your details. It was a well done effort, sure it would have got a few people.