Friday, September 26, 2008


Dammit, someone managed to hack into a couple of my accounts. On the plus side, I was watching them as they did it, so I was able to stem the problem very quickly (within a few minutes), but dang... they're fast. They managed to create ~$400 in fraudulent PayPal charges in the span of 5 minutes. (I was on the phone with PayPal as they did were still fumbling about, in fact.)

I'm still at a loss as to how they accomplished this. I do know that I received an e-mail which caused GMail to spaz out -- text was flowing outside of the places it was supposed to be (so they probably found yet another XSS vulnerability in GMail) and attempting to view this e-mail caused the page to spend a long time loading (i.e., it was phoning home, probably with my GMail login cookie).

However, this doesn't explain how they were able to get into my PayPal account. The only thing I can think of is a keystroke logger, but it's not like I typed any passwords in those 5 minutes. That, or they managed to get into my saved passwords in Firefox (though I don't think I saved my PayPal password in there for this very reason). I guess I'll find out on Monday when I bring my laptop in forensic analysis.

In the meantime, I had my work account locked down (which I highly doubt was accessed, but this is still the prudent measure to take) and managed to change all of my other passwords within 30 minutes, all without incident; this means they probably didn't get at anything else.

The attack itself was quite sophisticated. Not only was it generating PayPal charges as fast as possible, it would intercept and delete the PayPal confirmation e-mails which showed up. I got glimpses of the subject lines and actually managed to click on one (and confirm, to my horror, that it was draining money from my real bank account), but they were being deleted not long thereafter.

Google, incidentally, is of no help here (even though I'm paying $50/year for their "premier" edition of GMail). I called their emergency number only to be told that their offices are closed until Monday morning.


No comments: