Hacked email- but where is it running?

olbas_oil

A family member got the British Gas phishing email and clicked on the link. Since then his hotmail account has been sending out these emails on 3 occasions separated by a few days about 200 at a time to random addresses. I can see them in his outbox, and he has received some irate replies.
I have been able to reset his email password, but a virus check did not find anything on his computer.
If it was a process running on a machine somewhere on the internet, then changing the password has presumably sorted out the problem. If however it was a virus, that may still be hiding on his machine, then it will be able to get back once he logs in with new password.
Which is more likely? Is there any way of determining this?

Blackbeard_of_Perranporth

Most ISPs provide free anti virus. Sky and BT offer McAfee. Suggest you install this on you ex family friend pc. If your isp does not prove this, the free Windows Degender on windows 10 is adequate. 

also educate them that if it looks too good to be true, it is.

MinuteNoodles

Do a scan using Malwarebytes.

Rosa_Damascena

MinuteNoodles said:

Do a scan using Malwarebytes.

Will that be enough, though?

askeym

Rosa_Damascena said:

MinuteNoodles said:

Do a scan using Malwarebytes.

Will that be enough, though?

I'd use 2 other Malwarebyte (MBAM) apps too which can pick up things an av and MBAM don't: adwcleaner and it's rootkit scanner mbar-antirootkit. If there's any nasty lurking these will pick it up.

olbas_oil

Thanks for the responses. I appreciate the need to do thorough scanning, and I hope to arrange for remote assistance so I can do that myself.
But at a more technical, analytic level, I am trying to understand what may have happened. I can see lots of reports about this British Gas phishing email, but none of these actually explain what virus is being installed. I can see two  possible models for what happened (nothing for a week now)
1) Some hacker has his credentials, and is running a process to login to his hotmail and send these emails. If that's the case then we should now be ok having changed the password.
2) A virus was installed on his machine, and doesn't need to know his credentials because he is already logged in. If that was the case then I'd have expected the antivirus scans to have reported it.
I have examined the emails themselves, and even set up a sandbox to click the link, but have not been able to identify what is happening. Is there anywhere I can find more information about this British Gas scam?
The text looks like this: 

"Hello ********@hotmail.co.uk,

We sent you a gas bill for £3.71, and we still haven't received payment. If you've paid it in the last five days,..")

askeym

olbas_oil said:

Thanks for the responses. I appreciate the need to do thorough scanning, and I hope to arrange for remote assistance so I can do that myself.
But at a more technical, analytic level, I am trying to understand what may have happened. I can see lots of reports about this British Gas phishing email, but none of these actually explain what virus is being installed. I can see two  possible models for what happened (nothing for a week now)
1) Some hacker has his credentials, and is running a process to login to his hotmail and send these emails. If that's the case then we should now be ok having changed the password.
2) A virus was installed on his machine, and doesn't need to know his credentials because he is already logged in. If that was the case then I'd have expected the antivirus scans to have reported it.
I have examined the emails themselves, and even set up a sandbox to click the link, but have not been able to identify what is happening. Is there anywhere I can find more information about this British Gas scam?
The text looks like this: 

"Hello ********@hotmail.co.uk,

We sent you a gas bill for £3.71, and we still haven't received payment. If you've paid it in the last five days,..")

An AV wouldn't necessarily pick up a trojan as its main job is to pick up viruses ie:

Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

jonnygee2

An AV wouldn't necessarily pick up a trojan as its main job is to pick up viruses ie:

Most mainstream AV programs certainly include trojans and malware in their scanning / detection.

But @olbas_oil s_oil which program did you use to scan?

Also, after this kind of event you should really set up two factor authentication (2FA) on the account and make sure you change all security details associated with the account - eg backup email address, security questions etc. Where possible set up 2FA using an authenticator app, like google authenticator, rather than with an SMS. 

AndyPix

olbas_oil said:

Thanks for the responses. I appreciate the need to do thorough scanning, and I hope to arrange for remote assistance so I can do that myself.
But at a more technical, analytic level, I am trying to understand what may have happened. I can see lots of reports about this British Gas phishing email, but none of these actually explain what virus is being installed. I can see two  possible models for what happened (nothing for a week now)
1) Some hacker has his credentials, and is running a process to login to his hotmail and send these emails. If that's the case then we should now be ok having changed the password.
2) A virus was installed on his machine, and doesn't need to know his credentials because he is already logged in. If that was the case then I'd have expected the antivirus scans to have reported it.
I have examined the emails themselves, and even set up a sandbox to click the link, but have not been able to identify what is happening. Is there anywhere I can find more information about this British Gas scam?
The text looks like this: 

"Hello ********@hotmail.co.uk,

We sent you a gas bill for £3.71, and we still haven't received payment. If you've paid it in the last five days,..")

It is 1 ..

It is a simple phishing mail that harvests credentials.

Changing the password will have made this go away.

DoaM

As above. The proof will be in the fact that it has stopped happening.

Paul_Varjak

olbas_oil said:

A family member got the British Gas phishing email and clicked on the link. Since then his hotmail account has been sending out these emails on 3 occasions separated by a few days about 200 at a time to random addresses. I can see them in his outbox, and he has received some irate replies.
I have been able to reset his email password, but a virus check did not find anything on his computer.
If it was a process running on a machine somewhere on the internet, then changing the password has presumably sorted out the problem. If however it was a virus, that may still be hiding on his machine, then it will be able to get back once he logs in with new password.
Which is more likely? Is there any way of determining this?

This was a phishing email. Your family member clicked on a link which led to a fake British Gas website; your family member, no doubt, entered their details to log into their British Gas account and may have even paid the bill of £3.71p using a debit/credit card. In which case, the scammers have your family member's debit or credit card details as well. That means fake purchases could be made in the next few days using your family member's name and they may have even opened accounts in your family member's name.

Even if your family member did not pay the £3.71p they still logged into the fake British Gas website using the same credentials they use for their British Gas and email accounts. That has given the scammer access to your family member's British Gas and email accounts so they can continue with the scam by using your family member's email account to send out similar scam emails to other prospective victims. They will also know your family member's name and address as it appears on their British Gas account. More worryingly, the scammers may have accessed your family member's other accounts via your family member's email address - that is especially so if that email account holds an extensive history of past emails from other accounts, so they easily know what accounts to hack.

Given that your family member has apparently re-used passwords across multiple websites, the scammer could access those other accounts without even having to initiate a password reset; so just changing the password on the hacked email address would be insufficient as the scammer could still have credentials for a multitude of your family member's on-line accounts.

Your family member should change the password on the email account and set up two factor authentication on that email account. Additionally, they should use unique strong passwords on all other sites they access using that email account even if they did not re-use the email password on those sites - that is because the hacker may have issued password resets for your family member's other online accounts.

Getting an email address hacked can be a real nightmare as your whole personal, business, social and financial life could be contained within a single email account!