Sunday, January 2, 2011

Gmail Account Security Breach - zorpia spam

Recevied zorpia.com spam
My son and I had an interesting security breach this morning with regards to zorpia.com.  We detected this when all of his gmail contacts were spammed with email from "invitation at zorpia.com" on his behalf.  All of his contacts were spammed multiple times with the same email that was essentially trying to get the recipient to click on links that pointed towards zorpia.com.  Let me explain how the events transpired:

OpenDNS
Since my son is blocked from zorpia.com via OpenDNS I knew he did not have an account there.  We discussed the issue and quickly realized some account of his was breached.  At this point, all we knew was the zorpia spam was sent to me and my wife.  Shortly thereafter, my son received a forwarded zorpia email from his grandfather asking about it.

zorpia.com email getting sent to his gmail contacts
At this point, we knew for sure it was something to do with his gmail account.  Since his password was "tight" at 9+ characters including punctuation characters, it was hard to believe someone cracked his password.  Especially since it was used no where else.  I asked him if had recently used a friend's computer to access his gmail account and he had not.  He did mention he brought his Mac over to his friend's house and they ran an "open" wifi network (shame on them).  Since my son has a Mac, the open wifi  did not raise immediate concerns.  I have has Mac buttoned up with ssh key authorization only.  We then ran a Norton scan on his Mac and it was clean.  His USB sticks were also scanned and were clean.  Home network scans on all home computers were also clean.

Firewall Check
My home network firewall (FreeBSD/IPFilter) is fully logged and very tight.  I ran some reports on the logs and nothing jumped out at me.  I actually put all log entries into mysql making searching through firewall data very easy.

Gmail Account Access Details
Lastly, I asked him to look at his bottom of his gmail page and look at what IP addresses were used to access his account.  I have a static IP address at home so there should really just be my public IP address listed since his Mac rarely leaves our house.  To our shock, the IP addresses were coming from several addresses.  I ran a few "whois" and most IP addresses pointed to the amazon clouds.  However, some where starting to show up from Japan in near real time.

Gmail Account Breached for Sure
Obviously, at this point we knew his gmail account was breached.  We changed his password to a nice 13 character password with the standard upper/lower case letters, numbers, and punctuation.  Fortunately, gmail provides a way to sign out all other sessions (thank you google!).  At this point, the breach was closed.

Notification
Lastly, we monitored the IP addresses his gmail account was accessed from and it continued to just remain from my public IP.  We emailed his gmail contacts about the issue warning them not to click on any zorpia emails from him.

Password Policies
This should remind all of us to:

  • Use passwords that contain upper/lower case letters, numbers, and punctuation.
  • I require my family to use fully random characters that do not spell anything.
  • Length of passwords, at least in my opinion, should be 14 characters long for all financial institutions.
  • Passwords can be shorter for sites with less security concerns, online forum perhaps.
  • Never use the same password anywhere.
  • Use some secure method to record your passwords.  There are several online services to help you manage them.  Some services use 3 way authentication which is what I require for my family.
  • Change passwords regularly which is easier to do using one of the online services.

In closing, it would be nice to think that the Internet is friendly and useful place and it certainly is.  However, security should always be a concern.  Hacking techniques constantly evolve and one needs to stay up to date on their computer/network security infrastructure.

15 comments:

  1. Zorpia has been exceptional working with me to understand, investigate, and resolve this account breach. Thanks Zorpia!

    ReplyDelete
  2. The Zorpia Team supported me superbly investigating this incident. I cannot thank them enough.

    Upon complete investigation, the incident had nothing to do with Zorpia spam nor did Zorpia have anything to do with the gmail account breach. It was purely an incident of the lack of proper parental controls on a child's computer.

    As it turned out, OpenDNS was not blocking zorpia.com in my configuration and the Zorpia account was genuinely created from my public IP. Furthermore, the (Zorpia) user knowingly sent out Zorpia invitations from this gmail account.

    We do know, that the gmail account was breached and this was likely due to the lack of proper password management but I cannot be certain.

    Unfortunately, I did not have enough firewall logging to determine what PC accessed zorpia.com on my home network. An issue that is now corrected.

    This is a good lesson of learn all the facts before posting information. My apologies Zorpia.

    Most respectfully,
    John Clinton

    ReplyDelete
  3. I am surprised at your apologies(!)to Zorpia! Zorpia is a spamming site who hacks your email address book and spams all your contacts. They are a fraudulent site, for all I know.

    ReplyDelete
  4. Pardon the extended delay getting back to you mats. I based my apology on the best information I had at the time. Your comment may very well be true, but I cannot prove it.

    John

    ReplyDelete
  5. It is a spam website. I have received numerous emails from them and never signed up with them, but somehow they got my information. I have reported their emails as spam and still continue to get spam from them. I reported them to their domain provider today, which is GoDaddy.com. If they cannot fix the issue I plan on starting a class action lawsuit against them. Doing a simple Google search for "Zorpia spam" will show that many people are dealing with unsolicited spam from this website. Just wondering if you had any suggestions as to how I can compile a list of other victims so that I can let them know about my actions and get as many people involved in this potential lawsuit so that we can get them shut down for good. Thanks.

    John Bishop

    ReplyDelete
  6. Zorpia lied to you. They "supported" your investigation by feeding you false information about what they do.
    Spammers can concoct some very convincing "but it wasn't us" scenarios, and sites like Zorpia probably do that every day so they can get really good at it.

    The GMail breach was probably an OAuth enabled access (no password required); you need to check all affected Google accounts for enabled apps, and revoke access to the Zorpia one and/or any that you don't know and trust.

    ReplyDelete
  7. How do I "check all affected Google accounts for enabled apps, and revoke access to the Zorpia one?"

    ReplyDelete
  8. For each and every Google account (gmail or not):

    Log in.
    Click on the "Account" link at the top right.
    Click on "Security" in the left column.
    Click on the Edit button after "applications and sites".
    Log out.

    Rinse/wash/repeat.

    ReplyDelete
  9. Zorpia is bad.
    I'm not sure what they get out of it, but they ask people to click on a link for a "secret message" - and that authorizes Zorpia to send spam to the entire address book of the unsuspecting user.

    I have six acquaintances so far who have accidentally invited me - and the invites keep coming.

    ReplyDelete
  10. Wikipedia actually had a great writeup on Zorpia saying they are ligit social networking but they break their own anti-spamming policies by hacking into others accounts.. good info here thanks!

    ReplyDelete
  11. The bastards. They hacked me too. I have just 10 mins ago found yahoo congratulating me for "successfully sharing my Yahoo! infornation with Zorpia.com" - WTF I have only just found out who they are.

    ReplyDelete
  12. I got a spam email from Zorpia:

    "MyContactsAlias" left you a private message. Click on the button below to view it:

    There's button that says [View private message]

    When you click the button you are prompted to login with your google account. I wonder if I was only prompted because I have 2 accounts and I was prompted to select one of the 2. I'm thinking maybe it does not even prompt you if you only have one account.

    "A third party service is requesting permission to access your Google Account.

    In order to authorize a third party service to access your account, you must sign in. "

    Google needs to add another layer of confirmation before a site access your contacts.

    ReplyDelete
  13. Screw you crying bitches. Our company, Zorpia, cares only about hijacking your contacts so that we can make a profit dragging them to our sites. This is how it works. What more do yo need to know?

    ReplyDelete
  14. I had a row with my girlfriend about her zorpia profile. After calming down and analysing the situation, we noticed that her facebook details were automatically harvested. Her photo and details were on the zorpia website and she received dozens of emails each week. She never allowed for photos to be taken like this and more disturbingly, the zorpia app on facebook propagates like a virus going through the friends network. If the facebook app platform is set to ON, your information gets used. When switched off, zorpia does not take the information. Zorpia is doing using this to then activate the zorpia account so that it looks like my girlfriend was frequently on the site. Basically, zorpia makes lots of fictitious accounts by leeching on existing social networks, such as facebook and goolge+. After that it keeps the site looking alive by periodically activating the profiles to seem to have an active user base. My girlfriend got the same "I added you.." email from one of her happily married friend who had no idea that her details were used on a website to attract men. All this happened in September 2013. Finally, and of the greatest importance, instead of logging into the account using one the provided links (using existing facebook or google account), you can also just type in your email account (unclick the remember my details) and type your email password! Yes, zorpia also harvested the email username that was attached to facebook and the corresponding password of the email address (not necessarily the facebook password). This is an entire breach of privacy and the site is not a bona fide website, but instead uses social network sites to create a large "user base" to then get revenue from advertisers.

    ReplyDelete
  15. zorpia is a scam website that took over my whole address book. It sends me weird emails

    ReplyDelete