No one is safe: My GMail account was compromised

So, it finally happened. My Gmail account was compromised, despite all my best efforts, which included the following:

• I don't click on links in emails
• I keep my OS and other software up to date
• I don't enter my passwords on any computer that is not my own
• All of my passwords use both letters and numbers
• I use Firefox with Adblock Plus... MOST of the time.

That last item may have been my downfall. I've been using IE, Safari, and Chrome for various reasons recently: usually to see how one of the websites that I am developing displays in those browsers, but I also use them occasionally to view Google search results (to see the rankings of the websites that we're in charge of SEO for, since on Firefox, I have Web History enabled). I also very recently loaded up Chrome just to play Robot Unicorn Attack, because Chrome is a little faster than Firefox. :(

I know that Chrome has Adblock available for it, and I thought I had it installed, but I still saw ads when I went to play the game.

Another concerning thing is that recently, in Firefox, I remember seeing a Groupon ad even though I have Adblock Plus enabled. I gave the ad a funny look at the time, but didn't bother to look further into it since Groupon isn't shady. Maybe I should have :(.

My other downfall is that even though I KNOW it's a horrible thing to do, I use the same password pretty much everywhere I go. I just never took the time to figure out a system that would make it easy to make and remember unique passwords for each website. It was one of those things that I would do "eventually" and just never got around to doing.

So I might have been infected via an ad. I might have been infected by using the same password in too many places. I may have even been infected via my Droid X somehow, since I log into my Google Account on it.

I was first alerted that something was amiss when I received an email from myself, with my work signature. Immediately I knew something was wrong. I started getting some "mail failure notifications" as my hacker attempted to send emails to people in my address book whose emails either no longer exist, were typed in incorrectly, or just were smart enough to block my spam.

I quickly changed my Gmail password on my MacBook, which I figured had to be cleaner than my PC, but the spam emails kept being sent. I finally remembered that Gmail has a tool where you can kick off everyone who's logged into your account. I quickly did that and the emails stopped, and I changed my password a second time, from a different computer that I was 99% sure was clean.

Now it was time for the cleaning. I downloaded and installed MalwareBytes, and set it to do a full scan of both my hard drive and the USB drive that is connected to it. While the scan did its thing, I started changing passwords to a bunch of my online accounts. I got about four or five accounts done when I realized that I REALLY REALLY needed to come up with a system of unique passwords for each website (I was changing all of the accounts to the exact same password).

I finally came up with a system and started changing all the passwords again. I got to my WoW password, which wouldn't let me change it to my new, unique one because WoW only allows certain special characters in passwords. Bad, bad Blizzard! So my WoW password is a special snowflake from all of my other passwords.

MalwareBytes finally finished its full scan an hour later and found 0 infections. No!! I wanted it so badly to find something so that I could work on getting it clean. I sent frantic messages to Rob, who is away on a Knights of Columbus retreat this weekend. He had me download and run TDSSKiller and ComboFix.

TDSSKiller claimed it found one infection, but when I researched the name of the program, it turned out to be Daemon Tools, which is harmless. Rob told me to kill off the process anyway, but there wasn't any option to do so.

I couldn't get ComboFix to run at first. It was complaining that it only supports Win32 only. Rob managed to remote in and get it to run, though. Not sure what he did to get it to run. I am not sure what ComboFix found just yet -- I am waiting to check back with Rob, hopefully tomorrow, so he can analyze the log and tell me what it says.

I learned a few lessons from this ordeal, though.

The first: use unique passwords! I may have had my Gmail account compromised because another site that I used the same password on was compromised. If I don't find any malware, this might be what happened (but I doubt it, I strongly suspect malware).

The second: keep your Gmail contacts cleaned up! A few of the spam emails were sent out to people not in my contacts, but in Gmail's special list of contacts that it keeps of everyone that you have ever emailed or been emailed by, ever. So I've probably got a couple of folks wondering "Who is this Pam Hardy and why is she sending me spam?"

I went through all 100 of Gmail's "Other Contacts" and added about half of them to my actual address book, and deleted the other half.

The third lesson: ads are evil! Once my computer is somewhat usable, I need to go into IE and Safari and change their default homepages to Google, so that they never have a chance to display an ad to me. I also need to never play Robot Unicorn Attack on anything but Firefox. Also also I need to make sure that Adblock is actually installed and working correctly on Chrome.

This isn't a lesson, but more something I'm thankful for: my WoW account was not compromised. Even though I don't really care for WoW at the moment, if my account info got compromised it would have been a major pain in the neck to get all of my characters' gear restored. So I am grateful that for now, my WoW account is safe.

I never thought this would happen to me, but it did. Right now I feel violated. My life is on my computer, and my computer was violated. I feel icky just thinking about it.