Gmail – Can a virus access Gmail contacts

gmailhackedspam-prevention

My contacts have recently been receiving spam emails from my Gmail address. I am quite certain it is my Gmail contacts (one address is a craigslist response address that I once used). So it would appear my contact list has been accessed in some way.

But I am also fairly certain that the emails are not originating from my Gmail account. I've written an SMTP client, so I know how easy it is to spoof the "from" address, and my Spam folder has several bounces of emails that were "from" me, but were not sent using a Gmail server.

There have been no recent unusual accesses to my account, according to the lists Google provides.

I recently changed my password to something I believe to be quite secure (in response to the heartbleed thing), I don't use any mail clients to access my Gmail accounts.

All this adds up to a few possibilities:

  1. My account was compromised before I changed my password, but no one bothered to use it until now.
  2. My account is currently compromised, but the spammer is using a different account to send emails, while still bothering to spoof me (seems unlikely?).
  3. A computer on which I was logged into my Gmail account was compromised, and an automated attacker obtained my contacts list from that, somehow.

So I'm wondering how likely possibility 3 is. If such a thing is possible, that would seem to be the most likely method used, based on the above evidence. But I am open to other explanations as well.

edited to add: i should mention, also, that none of my settings have been changed, and that nothing shows up in my sent folder (though i know that's not necessarily informative).

Best Answer

@david, I'll rephrase your question:

  • How did someone get access to my contacts?
  • Do they still have access?

@Al E. made some great suggestions about how the attacker may have originally accessed your contacts. Many apps and extensions have broad permissions that could put you at risk if one of those third parties is infiltrated, compromised, or just plain malicious. You should certainly carefully review your data exposure to those third parties. Or it may have been a virus (especially a keylogger) on a computer that you signed into at some point.

To the second question, I doubt the attacker still has access. The recent nature of the sent spam emails could be coincidental, and doesn't necessitate an ongoing compromise. However the attacker originally attained your contact list, he may have saved an offline copy, allowing him to send spoofed emails even if he lost access to your account after you changed your password.

So a third question presents itself - what should you do now?

  1. Turn on 2-step verification for your Google account to prevent future compromises. Even if the attacker is using a keylogger, each 2-step code can only be used once. This will make your account far more secure.
  2. Run antivirus scans on the computers where you regularly log in, just in case (a little paranoia never hurt anyone).
  3. Using the email headers (and optionally, MXToolbox's very useful SMTP parser), determine if the source IP addresses that the spammer is using are on a spam blacklist. If they are, many of the messages probably aren't making their way to your contacts. Sigh with relief.
  4. File a case with Google (see here for details) so they can investigate the issue.
Related Topic