Page 1 of 1

Email forwarding script

Posted: Fri Feb 24, 2017 9:44 pm
by Saratoga
Heya guys-n-gals

A friend here in Vanuatu suspects his computer has been compromised.
His wife caught a so called friend mucking around on his laptop when he was out of the office.
As confirmation of his suspicions, confidential information sent only to me was verbally referred to by a 3rd party.

My question, what and where would I look to investigate if any such forwarding script, or the like, has been installed on his computer ?
His email account is with Gmail, so its not likely any script was uploaded through a cpanel backend.

EDIT* To clarify, I do know about Gmail settings to forward emails. Are there other means to do so I should be looking for??

TIA
Cheers

Posted: Sun Feb 26, 2017 6:59 am
by INKoRP
Hey Dude,

Once a forwarding address has been setup it can be turned into a 'Filter' (without forwarding being turned on in the other screen) and used to send copies of all incoming/outgoing emails to one of those addresses. Check for those Filters maybe? see if there's anything suss there, assuming you haven't already?

Assuming the culprit isn't tech savvy the only other thing I can think of would require username and password knowledge and that would be to use POP/IMAP to settings to view the emails using an external app like Outlook etc.

Another way to check for evidence of illicit activity is on the bottom of most pages on the right hand side under the listed Emails, real small is:

Last account activity: 3 minutes ago
Details

Click on "Details" and see if there are any suspicious IP's or times that can be attributed solely to a 3rd party. Maybe something might point out a method/culprit?

I'd also recommend you click "Sign out all other web sessions" and then change password, just in case.

And even if it's temporary, go to the My Account by clicking the profile picture and changing the Google accounts settings to include 2 step verification. You'll need a verified mobile with cellular network access (initially) to input a 6 digit code either each login OR it can be set to remember a device for 30 days.

Anything other then that I can't help with without having access to the computer to check for processes and stuff that looks suss, even then they can be well disguised.

I think Blink or Kami would be best poised to help further.