My son and I had an interesting security breach this morning with regards to zorpia.com. We detected this when all of his gmail contacts were spammed with email from "invitation at zorpia.com" on his behalf. All of his contacts were spammed multiple times with the same email that was essentially trying to get the recipient to click on links that pointed towards zorpia.com. Let me explain how the events transpired:
Since my son is blocked from zorpia.com via OpenDNS I knew he did not have an account there. We discussed the issue and quickly realized some account of his was breached. At this point, all we knew was the zorpia spam was sent to me and my wife. Shortly thereafter, my son received a forwarded zorpia email from his grandfather asking about it.
zorpia.com email getting sent to his gmail contacts
At this point, we knew for sure it was something to do with his gmail account. Since his password was "tight" at 9+ characters including punctuation characters, it was hard to believe someone cracked his password. Especially since it was used no where else. I asked him if had recently used a friend's computer to access his gmail account and he had not. He did mention he brought his Mac over to his friend's house and they ran an "open" wifi network (shame on them). Since my son has a Mac, the open wifi did not raise immediate concerns. I have has Mac buttoned up with ssh key authorization only. We then ran a Norton scan on his Mac and it was clean. His USB sticks were also scanned and were clean. Home network scans on all home computers were also clean.
My home network firewall (FreeBSD/IPFilter) is fully logged and very tight. I ran some reports on the logs and nothing jumped out at me. I actually put all log entries into mysql making searching through firewall data very easy.
Gmail Account Access Details
Lastly, I asked him to look at his bottom of his gmail page and look at what IP addresses were used to access his account. I have a static IP address at home so there should really just be my public IP address listed since his Mac rarely leaves our house. To our shock, the IP addresses were coming from several addresses. I ran a few "whois" and most IP addresses pointed to the amazon clouds. However, some where starting to show up from Japan in near real time.
Gmail Account Breached for Sure
Obviously, at this point we knew his gmail account was breached. We changed his password to a nice 13 character password with the standard upper/lower case letters, numbers, and punctuation. Fortunately, gmail provides a way to sign out all other sessions (thank you google!). At this point, the breach was closed.
Lastly, we monitored the IP addresses his gmail account was accessed from and it continued to just remain from my public IP. We emailed his gmail contacts about the issue warning them not to click on any zorpia emails from him.
This should remind all of us to:
- Use passwords that contain upper/lower case letters, numbers, and punctuation.
- I require my family to use fully random characters that do not spell anything.
- Length of passwords, at least in my opinion, should be 14 characters long for all financial institutions.
- Passwords can be shorter for sites with less security concerns, online forum perhaps.
- Never use the same password anywhere.
- Use some secure method to record your passwords. There are several online services to help you manage them. Some services use 3 way authentication which is what I require for my family.
- Change passwords regularly which is easier to do using one of the online services.
In closing, it would be nice to think that the Internet is friendly and useful place and it certainly is. However, security should always be a concern. Hacking techniques constantly evolve and one needs to stay up to date on their computer/network security infrastructure.