Sunday, January 2, 2011

Gmail Account Security Breach - zorpia spam

Recevied zorpia.com spam
My son and I had an interesting security breach this morning with regards to zorpia.com.  We detected this when all of his gmail contacts were spammed with email from "invitation at zorpia.com" on his behalf.  All of his contacts were spammed multiple times with the same email that was essentially trying to get the recipient to click on links that pointed towards zorpia.com.  Let me explain how the events transpired:

OpenDNS
Since my son is blocked from zorpia.com via OpenDNS I knew he did not have an account there.  We discussed the issue and quickly realized some account of his was breached.  At this point, all we knew was the zorpia spam was sent to me and my wife.  Shortly thereafter, my son received a forwarded zorpia email from his grandfather asking about it.

zorpia.com email getting sent to his gmail contacts
At this point, we knew for sure it was something to do with his gmail account.  Since his password was "tight" at 9+ characters including punctuation characters, it was hard to believe someone cracked his password.  Especially since it was used no where else.  I asked him if had recently used a friend's computer to access his gmail account and he had not.  He did mention he brought his Mac over to his friend's house and they ran an "open" wifi network (shame on them).  Since my son has a Mac, the open wifi  did not raise immediate concerns.  I have has Mac buttoned up with ssh key authorization only.  We then ran a Norton scan on his Mac and it was clean.  His USB sticks were also scanned and were clean.  Home network scans on all home computers were also clean.

Firewall Check
My home network firewall (FreeBSD/IPFilter) is fully logged and very tight.  I ran some reports on the logs and nothing jumped out at me.  I actually put all log entries into mysql making searching through firewall data very easy.

Gmail Account Access Details
Lastly, I asked him to look at his bottom of his gmail page and look at what IP addresses were used to access his account.  I have a static IP address at home so there should really just be my public IP address listed since his Mac rarely leaves our house.  To our shock, the IP addresses were coming from several addresses.  I ran a few "whois" and most IP addresses pointed to the amazon clouds.  However, some where starting to show up from Japan in near real time.

Gmail Account Breached for Sure
Obviously, at this point we knew his gmail account was breached.  We changed his password to a nice 13 character password with the standard upper/lower case letters, numbers, and punctuation.  Fortunately, gmail provides a way to sign out all other sessions (thank you google!).  At this point, the breach was closed.

Notification
Lastly, we monitored the IP addresses his gmail account was accessed from and it continued to just remain from my public IP.  We emailed his gmail contacts about the issue warning them not to click on any zorpia emails from him.

Password Policies
This should remind all of us to:

  • Use passwords that contain upper/lower case letters, numbers, and punctuation.
  • I require my family to use fully random characters that do not spell anything.
  • Length of passwords, at least in my opinion, should be 14 characters long for all financial institutions.
  • Passwords can be shorter for sites with less security concerns, online forum perhaps.
  • Never use the same password anywhere.
  • Use some secure method to record your passwords.  There are several online services to help you manage them.  Some services use 3 way authentication which is what I require for my family.
  • Change passwords regularly which is easier to do using one of the online services.

In closing, it would be nice to think that the Internet is friendly and useful place and it certainly is.  However, security should always be a concern.  Hacking techniques constantly evolve and one needs to stay up to date on their computer/network security infrastructure.

36 comments:

  1. Zorpia has been exceptional working with me to understand, investigate, and resolve this account breach. Thanks Zorpia!

    ReplyDelete
  2. The Zorpia Team supported me superbly investigating this incident. I cannot thank them enough.

    Upon complete investigation, the incident had nothing to do with Zorpia spam nor did Zorpia have anything to do with the gmail account breach. It was purely an incident of the lack of proper parental controls on a child's computer.

    As it turned out, OpenDNS was not blocking zorpia.com in my configuration and the Zorpia account was genuinely created from my public IP. Furthermore, the (Zorpia) user knowingly sent out Zorpia invitations from this gmail account.

    We do know, that the gmail account was breached and this was likely due to the lack of proper password management but I cannot be certain.

    Unfortunately, I did not have enough firewall logging to determine what PC accessed zorpia.com on my home network. An issue that is now corrected.

    This is a good lesson of learn all the facts before posting information. My apologies Zorpia.

    Most respectfully,
    John Clinton

    ReplyDelete
  3. I am surprised at your apologies(!)to Zorpia! Zorpia is a spamming site who hacks your email address book and spams all your contacts. They are a fraudulent site, for all I know.

    ReplyDelete
  4. Pardon the extended delay getting back to you mats. I based my apology on the best information I had at the time. Your comment may very well be true, but I cannot prove it.

    John

    ReplyDelete
  5. It is a spam website. I have received numerous emails from them and never signed up with them, but somehow they got my information. I have reported their emails as spam and still continue to get spam from them. I reported them to their domain provider today, which is GoDaddy.com. If they cannot fix the issue I plan on starting a class action lawsuit against them. Doing a simple Google search for "Zorpia spam" will show that many people are dealing with unsolicited spam from this website. Just wondering if you had any suggestions as to how I can compile a list of other victims so that I can let them know about my actions and get as many people involved in this potential lawsuit so that we can get them shut down for good. Thanks.

    John Bishop

    ReplyDelete
    Replies
    1. John, our office manager's PC was apparently hacked somehow by Zorpia and now all of the folks in our company (from her address list) are receiving emails, "private messages" and "invitations" from her. This definitely is the result of Zorpia hacking in and stealing address lists, and then using them to expand their network of folks who have been hacked (getting THEIR address lists too). - Jim (Our website is www.amastershands.com so you can reach us that way.)

      Delete
  6. Zorpia lied to you. They "supported" your investigation by feeding you false information about what they do.
    Spammers can concoct some very convincing "but it wasn't us" scenarios, and sites like Zorpia probably do that every day so they can get really good at it.

    The GMail breach was probably an OAuth enabled access (no password required); you need to check all affected Google accounts for enabled apps, and revoke access to the Zorpia one and/or any that you don't know and trust.

    ReplyDelete
  7. How do I "check all affected Google accounts for enabled apps, and revoke access to the Zorpia one?"

    ReplyDelete
  8. For each and every Google account (gmail or not):

    Log in.
    Click on the "Account" link at the top right.
    Click on "Security" in the left column.
    Click on the Edit button after "applications and sites".
    Log out.

    Rinse/wash/repeat.

    ReplyDelete
  9. Zorpia is bad.
    I'm not sure what they get out of it, but they ask people to click on a link for a "secret message" - and that authorizes Zorpia to send spam to the entire address book of the unsuspecting user.

    I have six acquaintances so far who have accidentally invited me - and the invites keep coming.

    ReplyDelete
  10. Wikipedia actually had a great writeup on Zorpia saying they are ligit social networking but they break their own anti-spamming policies by hacking into others accounts.. good info here thanks!

    ReplyDelete
  11. The bastards. They hacked me too. I have just 10 mins ago found yahoo congratulating me for "successfully sharing my Yahoo! infornation with Zorpia.com" - WTF I have only just found out who they are.

    ReplyDelete
  12. I got a spam email from Zorpia:

    "MyContactsAlias" left you a private message. Click on the button below to view it:

    There's button that says [View private message]

    When you click the button you are prompted to login with your google account. I wonder if I was only prompted because I have 2 accounts and I was prompted to select one of the 2. I'm thinking maybe it does not even prompt you if you only have one account.

    "A third party service is requesting permission to access your Google Account.

    In order to authorize a third party service to access your account, you must sign in. "

    Google needs to add another layer of confirmation before a site access your contacts.

    ReplyDelete
  13. I had a row with my girlfriend about her zorpia profile. After calming down and analysing the situation, we noticed that her facebook details were automatically harvested. Her photo and details were on the zorpia website and she received dozens of emails each week. She never allowed for photos to be taken like this and more disturbingly, the zorpia app on facebook propagates like a virus going through the friends network. If the facebook app platform is set to ON, your information gets used. When switched off, zorpia does not take the information. Zorpia is doing using this to then activate the zorpia account so that it looks like my girlfriend was frequently on the site. Basically, zorpia makes lots of fictitious accounts by leeching on existing social networks, such as facebook and goolge+. After that it keeps the site looking alive by periodically activating the profiles to seem to have an active user base. My girlfriend got the same "I added you.." email from one of her happily married friend who had no idea that her details were used on a website to attract men. All this happened in September 2013. Finally, and of the greatest importance, instead of logging into the account using one the provided links (using existing facebook or google account), you can also just type in your email account (unclick the remember my details) and type your email password! Yes, zorpia also harvested the email username that was attached to facebook and the corresponding password of the email address (not necessarily the facebook password). This is an entire breach of privacy and the site is not a bona fide website, but instead uses social network sites to create a large "user base" to then get revenue from advertisers.

    ReplyDelete
  14. zorpia is a scam website that took over my whole address book. It sends me weird emails

    ReplyDelete
  15. I got a email alert from Zorpia that they had a private message for me from a friend I have not seen in quite awhile. Iwas immediately suspicious and did not attempt to view the message or do anything but delete the email. Now my yahoo mail shows that friends name superimposed over my own name and email address on all of my incoming mail. in addition it looks at times as if my outgoing emails are being CC'd to my old friend. Weird...

    ReplyDelete
    Replies
    1. I got the same email today, and am going through my system and changing everything. Scanning all with McAfee. Never been to thier site, nor any to associate with them. And I do not use Facebook, so that means they have hacked my information. Because I sure didn't put it out there for them to have, nor harvest. Put them on the block address lists on everything you have, especially your email live scanning anti-virus programs. Such as Norton, McAfee, etc. they all have the live email scan and option of blocked emails, or any contact from those sites, etc. If you don't then good luck.

      Delete
  16. Thank god for this blog!

    ReplyDelete
  17. My son got this last night. Opened an email from one of his friends who had fallen into the same trap. What then happens is it uses your authorizing its use of an account you have as an app 9e.g. it becomes an app that you log into via your google or facebook). That gives it access to your friends or contacts and it starts to email them. And so it goes, spreading its roots through your network. What to do? (1) disable its access to that apps it is authorized to use. (2) change your passwords, (3) set up a filter to delete (or file away) any mail you get from Zorpian. And you will get plenty. And they make it hard for you to disable your Zorpian account because in order to access it, you have to give them access to the same asset they exploited in the first instance to start contacting your contacts. So don't do that!

    ReplyDelete
  18. Are you a troll account?

    ReplyDelete
  19. We all know that email is a huge source of overwhelm for many solopreneurs, and also one of the biggest time drains. However, email is essential to a solopreneur's success, so you have to find a way of organizing your emails. If organized properly you'll quickly and easilyhttp://800support.net/gmail-support/change-gmail-username/

    ReplyDelete
  20. Are you tired of your quickbooks minor errors or are you fed up of paying technical support and still having issues , Call QuickBooks Support Number +1800-986-6730 is the only QuickBooks support phone number which is carrying its reputation from last 9 years in the market .We provide QuickBooks Pro Support , QuickBooks Premier Support , QuickBooks Enterprise Support , QuickBooks Point of Sale Support , QuickBooks Payroll support and QuickBooks Cloud Hosting Support . Without wasting your time it just takes 5 minutes for our intuti certified proadvisor to take the control of your computer and understand the problem you are going through, after he takes up the responsibility to resolve your problem you just have to sit back and wait for the technician to call you and tell you about the resolution of your problem. All QuickBooks technical support under one roof.
    QuickBooks Pro Support Number
    QuickBooks Support Phone Number
    QuickBooks Enterprise Support Number
    QuickBooks Enterprise Support Phone Number
    QuickBooks Desktop Support Number
    QuickBooks POS Support Number
    QuickBooks customer service 1800-986-6730 QuickBooks support phone number
    QuickBooks Support Phone Number
    QuickBooks Tech Support Phone Number
    QuickBooks Technical Support Number
    QuickBooks Tech Support Number
    intuit quickbooks support
    quickbooks tech support
    quickbooks customer support
    quickbooks 24/7 support phone number
    quickbooks technical support phone number
    quickbooks online support phone number
    quickbooks payroll support phone number
    quickbooks tech support phone number

    ReplyDelete
  21. Nice blog has been shared by you. before i read this blog i didn't have any knowledge about this but now i got some knowledge. McAfee Antivirus software then just go through the link here. Click Here:- McAfee Antivirus Helpline Number

    ReplyDelete
  22. "
    Thanks for such a great information and to provide us. We have the finest Intuit certified technicians and If you're facing trouble in your QuickBooks accounting software then just go through the link here. Click Here:- QuickBooks Support Phone number"

    ReplyDelete
  23. Very Nice Blog I Read Your Post Its Amazing It Is Very Interesting post Thank You For Post then just go through the click here Buying a Used Car

    ReplyDelete
  24. amazingly edifying and steady for me.I regard the gainful information you offer in your articles. An obligation of appreciation is all together to post

    Buy old gmail accounts

    ReplyDelete
  25. Fix all your technical glitch under the valuable consultancy of Highly skilled & trained experts. To connect with them, dial QuickBooks Phone Number Support 1-833-325-0220. Here, you will find solutions for every issue.

    ReplyDelete
  26. Getting QuickBooks Error 61686 ? No need to worry, call QuickBooks Error Support Phone Number 1-833-325-0220 to find reliable solutions. Read More: https://tinyurl.com/y7eqvwwz

    ReplyDelete
  27. These are the hottest new trend on the internet right now and are being used by people from all walks of life. From stay-at-home parents, to busy professionals, anyone can rake in the cash with these accounts, and it can all be done from the comfort of your own home. Here's how you can make the most of your investment and turn it into some serious cash. So get out there, check your email, and check your bank account... You might just surprise yourself! Buy instagram accounts

    ReplyDelete
  28. Emails Benefit? Well, it sounds weird but Benefit is a French brand of plastic known for its use in artificial nails. The Benefit brand originated in France and is popular all over the world, as artificial nails have now become more affordable. So, if you have any doubts about artificial nails then it's probably best that you check out Benefit. Whether you want cheap Benefit nails to spruce up your personal style or you want to buy a full set of 8 beautiful artificial nails for yourself then you are sure to find a range of brilliant nail colors, designs, and styles online right here that will have your feet looking stunning.Buy pinterest accounts

    ReplyDelete
  29. In order to have success with email marketing you need a list. The question is how can you build a list fast and easy? It seems like people new to Internet Marketing, have a hard time understanding the concept of creating a list that will be worth their time. Luckily I have a few tips that should help.buy pinterest accounts

    ReplyDelete
  30. If Quickbooks won't open or takes forever to start, what would happen? With no technical know-how, you cannot fix the error fast, and it could be a nightmare for your busy schedule.

    ReplyDelete
  31. The most unique and creative TIC tee I have seen in a while. My Boxer has been wearing them ever since he was a pup and now is older and ready to take on the competition with a T-shirt that says: Most Unique Tecnic I Learn. It makes me laugh when I see his run-up to the dog crate and out there with his shirt off. He usually does this about three times, then goes back into his crate to snooze for about five or six hours before going to sleep. If you have a dog who loves to exercise and is always ready to play, then this tee would be a good choice for him.
    Buy snapchat accounts

    ReplyDelete
  32. Edu email for Amazon Prime
    Is this post important for business? Many people will ask me that question when I write this. In order to help you figure out if this post is important for business, you should first understand why I am writing this post. If you are in a business then this post important for business will help you better understand the importance of this post.

    ReplyDelete
  33. amazingly edifying and steady for me.I regard the gainful information you offer in your articles. An obligation of appreciation is all together to post. Buy Gmail Accounts

    ReplyDelete