Need some help, someone has hijacked a coemployees email

[Throc]

One of my coworkers email accounts has been hijacked. Emails are being sent from her account to people in her address book without her doing anything. I've never had to deal with this before so I was wondering if some of you guys could help out. We're a small office and don't have any dedicated IT specialists. I'm more of a hardware guy so I usually trouble shoot the problems around the office but I don't even konw where to start with this one.

 

[mattjw916]

Change email password
Run anti-virus/anti-spyware

 

[kevinzak]

Change the password to something strong and run antivirus and antimalware software (a tutorial with links to our community's favorite scanners is featured as stickied topic in the root of this forum). If you find and remove malware, change the password on the account again after the machine is clean.

Edit: I've been ninja'd!

 

[mattjw916]

hivemind

 

[Throc]

I already ran malwarebytes since that was my first reaction. Nothing showed up on the full scan that we ran yesterday. This all started Saturday and she has sent out at least three emails since then that we know about. We've changed the passwords now. I didn't realize her password was actually her last name which could easily be discerned from her email address. It's changed now so I guess all we can do is wait and see if it happens again.

 

[yadnom]

Are you sure its not spoofed emails? If so changing passwords won't do much.

Are you guys running some kind of mail server? Exchange or whatever or using hosted mail? If so, there should be a way you can tell if the emails are originating from your coworker or if they are spoofed emails.

 

[gimp]

yeah, what kind of email setup is it?
and are the emails supposedly being sent by somebody else, showing up in her Sent Items? This wouldn't necessarily happen if it's a POP3/SMTP setup, but would show up in an Exchange environment.

 

[Throc]

Well, it's been a week and we haven't seen or heard of any more spoof emails coming from her address. It's a bellsouth.net account. It's recently be changed over to yahoo. I guess AT&T has an agreement with yahoo or something. She uses Outlook and there wasn't anything in her sent items there or directly logging in to yahoo. It's been a week though so maybe changing the password fixed the problem.

 

[thee_rook]

Do you have a header you can paste into here?

 

[Throc]

I printed one out last week but misplaced it. She's gone for the day so maybe I can get it tomorrow.

 

[darkpaw]

If her password was her last name, some bot probably just bruteforced it. This is pretty likely if the machine itself was clean. Time for a good explanation on why proper passwords are necessary!

 

[MavsX]

spoofing email is pretty common. Thats why the bigger companies use SPF records...

 

[nessus]

Having webail accounts hacked due to weak passwords is commonplace as well. Just got to talk my mom through setting a much more secure password myself after her sbcglobal.net account hosted by Yahoo was compromised.

A friend of my mom's had her account cracked about 2 weeks before that.