David Airey is a popular logo designer, and is even better known for his blogging at DavidAirey.com. He uses the blog as a platform to solicit potential clients, and has done so successfully enough to quite his day job and become a logo designer full time. He is also known for the active community of fellow bloggers/designers that frequent his site.
A fine vacation to the beaches and coasts in India turned out to be his worst nightmare for David. His GMail account and domain registrar accounts were hacked and accessed. Long story short, David lost his prized domain davidairey.com(I am not linking to it because it is int the hands of the cyber-squatter), into which he invested considerable time and effort.
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule.
Thus, the hack silently makes its way to the Gmail’s much-hyped label system, and quietly forwards/deletes any mail that matches the set criteria. This can be used to pull out specific details, like passwords, credit card details and other valuable information. The technique is named CSRF.
Thus, David has now lost his domain worth more than just money (his business hinges on it), and has to take it to court for any hope of recovering it, at a minimum cost of $1500. This, however, does not grant him any guarantees, and you can see my comment along those lines here. Also, his blog has been moved to davidairey.co.uk, though the feed address remains the same.
David was approached by the hacker, with an offer of $650, later reduced to $250. Apparently, the hacker is feeling the heat, and knows the domain is useless to anyone other than the real owner.
History repeats itself
This is not the first time that Gmail has been hacked. History repeats itself, they say, and how true! Being hacked once is acceptable, but twice and beyond is outright unacceptable. I recommend that you move all account login-related and other valuable information to another mail service, or better yet, offline. I am contemplating a move to Live Mail, since I have the same username on both Live and Gmail. I love the Gmail interface and usability, but sometimes, safety cuts through it all.
Should I switch to Gmail? And more importantly, would you switch to Gmail now that you’ve heard this frightening piece of information?