Forum Home» Techie Stuff

Hacked email- but where is it running?

New Post Advanced Search

Hacked email- but where is it running?

10 replies 296 views
olbas_oilolbas_oil Forumite
226 posts
Part of the Furniture 100 Posts
✭✭
A family member got the British Gas phishing email and clicked on the link. Since then his hotmail account has been sending out these emails on 3 occasions separated by a few days about 200 at a time to random addresses. I can see them in his outbox, and he has received some irate replies.
I have been able to reset his email password, but a virus check did not find anything on his computer.
If it was a process running on a machine somewhere on the internet, then changing the password has presumably sorted out the problem. If however it was a virus, that may still be hiding on his machine, then it will be able to get back once he logs in with new password.
Which is more likely? Is there any way of determining this?

Replies

  • Blackbeard_of_PerranporthBlackbeard_of_Perranporth Forumite
    7.1K posts
    Seventh Anniversary 1,000 Posts Photogenic
    ✭✭✭✭
    Most ISPs provide free anti virus. Sky and BT offer McAfee. Suggest you install this on you ex family friend pc. If your isp does not prove this, the free Windows Degender on windows 10 is adequate. 

    also educate them that if it looks too good to be true, it is.
    Cardiac Arrest - Electrical - Patient unconscious! Heart Attack - Plumbing - Patient conscious!
    Defibrillators Cannot Cure a Heart Attack!
  • MinuteNoodlesMinuteNoodles Forumite
    841 posts
    500 Posts Name Dropper
    ✭✭✭
    Do a scan using Malwarebytes.
  • Rosa_DamascenaRosa_Damascena Forumite
    1.4K posts
    1,000 Posts Name Dropper Photogenic
    ✭✭✭
    Do a scan using Malwarebytes.
    Will that be enough, though?
    No man is worth crawling on this earth.
  • askeymaskeym Forumite
    117 posts
    100 Posts Name Dropper
    Do a scan using Malwarebytes.
    Will that be enough, though?

    I'd use 2 other Malwarebyte (MBAM) apps too which can pick up things an av and MBAM don't: adwcleaner and it's rootkit scanner mbar-antirootkit. If there's any nasty lurking these will pick it up.


    I know Domestos kills 99% of germs, but I'm worried about the 1% that got away.
  • edited 5 July at 9:27AM
    olbas_oilolbas_oil Forumite
    226 posts
    Part of the Furniture 100 Posts
    ✭✭
    edited 5 July at 9:27AM
    Thanks for the responses. I appreciate the need to do thorough scanning, and I hope to arrange for remote assistance so I can do that myself.
    But at a more technical, analytic level, I am trying to understand what may have happened. I can see lots of reports about this British Gas phishing email, but none of these actually explain what virus is being installed. I can see two  possible models for what happened (nothing for a week now)
    1) Some hacker has his credentials, and is running a process to login to his hotmail and send these emails. If that's the case then we should now be ok having changed the password.
    2) A virus was installed on his machine, and doesn't need to know his credentials because he is already logged in. If that was the case then I'd have expected the antivirus scans to have reported it.
    I have examined the emails themselves, and even set up a sandbox to click the link, but have not been able to identify what is happening. Is there anywhere I can find more information about this British Gas scam?
    The text looks like this: 
    "Hello ********@hotmail.co.uk,
    We sent you a gas bill for £3.71, and we still haven't received payment. If you've paid it in the last five days,..")

  • askeymaskeym Forumite
    117 posts
    100 Posts Name Dropper
    olbas_oil said:
    Thanks for the responses. I appreciate the need to do thorough scanning, and I hope to arrange for remote assistance so I can do that myself.
    But at a more technical, analytic level, I am trying to understand what may have happened. I can see lots of reports about this British Gas phishing email, but none of these actually explain what virus is being installed. I can see two  possible models for what happened (nothing for a week now)
    1) Some hacker has his credentials, and is running a process to login to his hotmail and send these emails. If that's the case then we should now be ok having changed the password.
    2) A virus was installed on his machine, and doesn't need to know his credentials because he is already logged in. If that was the case then I'd have expected the antivirus scans to have reported it.
    I have examined the emails themselves, and even set up a sandbox to click the link, but have not been able to identify what is happening. Is there anywhere I can find more information about this British Gas scam?
    The text looks like this: 
    "Hello ********@hotmail.co.uk,
    We sent you a gas bill for £3.71, and we still haven't received payment. If you've paid it in the last five days,..")


    An AV wouldn't necessarily pick up a trojan as its main job is to pick up viruses ie:
    Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

    I know Domestos kills 99% of germs, but I'm worried about the 1% that got away.
  • edited 6 July at 11:11AM
    jonnygee2jonnygee2 Forumite
    2.1K posts
    1,000 Posts Second Anniversary Name Dropper Combo Breaker
    ✭✭✭✭
    edited 6 July at 11:11AM
    An AV wouldn't necessarily pick up a trojan as its main job is to pick up viruses ie:

    Most mainstream AV programs certainly include trojans and malware in their scanning / detection.

    But @olbas_oil s_oil which program did you use to scan?

    Also, after this kind of event you should really set up two factor authentication (2FA) on the account and make sure you change all security details associated with the account - eg backup email address, security questions etc. Where possible set up 2FA using an authenticator app, like google authenticator, rather than with an SMS. 

  • AndyPixAndyPix Forumite
    4.8K posts
    1,000 Posts Fifth Anniversary Name Dropper Photogenic
    ✭✭✭✭
    olbas_oil said:
    Thanks for the responses. I appreciate the need to do thorough scanning, and I hope to arrange for remote assistance so I can do that myself.
    But at a more technical, analytic level, I am trying to understand what may have happened. I can see lots of reports about this British Gas phishing email, but none of these actually explain what virus is being installed. I can see two  possible models for what happened (nothing for a week now)
    1) Some hacker has his credentials, and is running a process to login to his hotmail and send these emails. If that's the case then we should now be ok having changed the password.
    2) A virus was installed on his machine, and doesn't need to know his credentials because he is already logged in. If that was the case then I'd have expected the antivirus scans to have reported it.
    I have examined the emails themselves, and even set up a sandbox to click the link, but have not been able to identify what is happening. Is there anywhere I can find more information about this British Gas scam?
    The text looks like this: 
    "Hello ********@hotmail.co.uk,
    We sent you a gas bill for £3.71, and we still haven't received payment. If you've paid it in the last five days,..")


    It is 1 ..
    It is a simple phishing mail that harvests credentials.
    Changing the password will have made this go away.
    Running with scissors since 1978 :)
  • DoaMDoaM Forumite
    11.2K posts
    10,000 Posts Fifth Anniversary Name Dropper Photogenic
    ✭✭✭✭✭
    As above. The proof will be in the fact that it has stopped happening.
    Diary of a madman
    Walk the line again today
    Entries of confusion
    Dear diary, I'm here to stay
  • Paul_VarjakPaul_Varjak Forumite
    4.7K posts
    Part of the Furniture 1,000 Posts Photogenic Combo Breaker
    ✭✭✭✭
    olbas_oil said:
    A family member got the British Gas phishing email and clicked on the link. Since then his hotmail account has been sending out these emails on 3 occasions separated by a few days about 200 at a time to random addresses. I can see them in his outbox, and he has received some irate replies.
    I have been able to reset his email password, but a virus check did not find anything on his computer.
    If it was a process running on a machine somewhere on the internet, then changing the password has presumably sorted out the problem. If however it was a virus, that may still be hiding on his machine, then it will be able to get back once he logs in with new password.
    Which is more likely? Is there any way of determining this?

    This was a phishing email. Your family member clicked on a link which led to a fake British Gas website; your family member, no doubt, entered their details to log into their British Gas account and may have even paid the bill of £3.71p using a debit/credit card. In which case, the scammers have your family member's debit or credit card details as well. That means fake purchases could be made in the next few days using your family member's name and they may have even opened accounts in your family member's name.

    Even if your family member did not pay the £3.71p they still logged into the fake British Gas website using the same credentials they use for their British Gas and email accounts. That has given the scammer access to your family member's British Gas and email accounts so they can continue with the scam by using your family member's email account to send out similar scam emails to other prospective victims. They will also know your family member's name and address as it appears on their British Gas account. More worryingly, the scammers may have accessed your family member's other accounts via your family member's email address - that is especially so if that email account holds an extensive history of past emails from other accounts, so they easily know what accounts to hack.

    Given that your family member has apparently re-used passwords across multiple websites, the scammer could access those other accounts without even having to initiate a password reset; so just changing the password on the hacked email address would be insufficient as the scammer could still have credentials for a multitude of your family member's on-line accounts.

    Your family member should change the password on the email account and set up two factor authentication on that email account. Additionally, they should use unique strong passwords on all other sites they access using that email account even if they did not re-use the email password on those sites - that is because the hacker may have issued password resets for your family member's other online accounts.

    Getting an email address hacked can be a real nightmare as your whole personal, business, social and financial life could be contained within a single email account!
    Any opinions are my own unless otherwise stated.
Sign In or Register to comment.

Quick links

Essential Money | Who & Where are you? | Work & Benefits | Household and travel | Shopping & Freebies | About MSE | The MoneySavers Arms | Covid-19 & Coronavirus Support