I am going to go ahead and admit it to the internet that I was looking for something quickly last night and did not practice safe searching…. I had multiple tabs open, including my gMail and I was the victim of a cross site scripting attack.
Last night I was looking for a file converter for a document my wife had received from one of her students so that she could open and grade his paper. I had a bunch of tabs open and a google hangout ongoing and did not think to start a new chrome window for my searching, which I typically do. I run chrome extensions like uBlock Origin, and Privacy Badger, and some others. This attack went totally unnoticed to all of the tools I have to monitor my privacy.
When someone notified me I had sent them spam I asked for the view source of the message. It can be found here if anyone is interested. I redacted the email addressees and names,but left the servers and client data present since it is the client data and servers of a spammer, I don’t think they will mind.
In the mean time until I got the above email source data I thought my server where I host linward.net might have been compromised and began scanning it frantically. There were no authentication attempts against it and nothing out of the ordinary in the logs. I changed all passwords on the system and then checked all of the activity on my gmail account. No logins from strange IP addresses and nothing in my sent folder related to the spam activity.
After receiving the header information I was somewhat relieved to see the message was sent from Seoul, Korea using a client claiming to be Outlook 2013. Relieved because I do not live in Korea, nor do I even have a copy of MS Outlook installed on any of my machines especially not 2013.
I wanted to put this out there to see if anyone else had encountered anything like this in their day to day work. It was strange and totally creeped me out, I had not seen an attack like this before in person and I wish I could have isolated the site doing it so I could have notified the host.
It is completely against standard practice for any of us that are even remotely involved in security to admit our mistakes and/or seek assistance form the community. If everyone keeps quiet about every problem that we face, how we will ever make headway against attackers? It is obvious that the attackers are sharing information on tools and attacks. Otherwise we would not see so many copycat scripts and professionally produced malware toolkits out there for download and use to create mayhem. This is me “putting it out there” to everyone else. I was played by a cross-site-scripting attack and I want to inform others so that we can work together on the side of good to combat it and make headway against the attackers. Any suggestions for chrome or other browser extensions to block this kind of attack are welcomed. I can be reached from the contact form on this blog that nobody reads or @lin_ward on twitter.