Here’s 4 things you can check and 1 thing you can’t
An acquaintance was asking about this for a friend. She noticed that emails from one particular source would show up already read in her Inbox. As far as I’m aware, there’s nothing that can happen in delivery to cause that to happen. The concept of ‘read’ or ‘not read’ isn’t an SMTP concept, it’s a mailbox concept.
Checking for signs of shady activity in Gmail
First off, if you’re using Gmail, you’re in luck — it has more tools than most hosted email platforms for detecting and preventing malicious activity.
Potential Culprit #1: Mailbox Automation
The first thing to check is the possibility that there’s nothing shady going on at all. Perhaps there’s a mailbox rule you set up and forgot about? In Gmail, filters are used to set up the equivalent of what Microsoft calls inbox or exchange ‘rules’. You’ll find filters under the Filters and Blocked Addresses tab.
Review the rules there, looking for anything that is marking emails as read, or whatever other action might be making the hair on the back of your neck stand up.
No? Nothing there? Onto the next thing.
Potential Culprit #2: Delegate Access
While we’re in Gmail’s settings, let’s also check delegate access. This only works from another Gmail account, but allows for the option to mark email as ‘read’ if someone else reads it, or to leave it set to ‘unread’. In the latter case, there’d be no indication in your inbox that someone else is reading your email. Delegate access is labeled Grant access to your account and can be found under Accounts and Import.
Up to 10 other accounts can be granted delegate access, each giving the option to mark conversations as read when opened by others, or unread (show no sign that they’ve been accessed).
Potential Culprit #3: Direct Access
Direct access could be someone logging on via a web browser, through IMAP or POP3. This is very difficult to do without alerting someone. I logged into my daughter’s Gmail account to grab some screenshots for this post. She noticed and immediately messaged me about it, which made me a very proud papa 🙂
Google hasn’t messed around here — there are several ways it attempts to alert the user and log events. For example, since I’m a delegate for her account, I received an email about this login as well!
Yet another way to look at who is accessing your Gmail account and how it is being accessed is called Last Account Activity, and in the web-based Gmail app, the link is available at the bottom of the page.
Click ‘details’ on the lower right hand corner, and you will be presented with a log of all Gmail account access activity. In the screenshot below, the browser user agent tells us Google Chrome on a computer running Windows 10 was used to access Gmail. It also lists the source IP address, and the time the access occurred. If you don’t know what your public IP address, you can use a website like IP Chicken to find that out, and compare to this information. Keep in mind, using a VPN service will change the IP address you appear to come from.
Finally, the Recent Security Events page can be reviewed as well for suspicious events.
Potential Culprit #4: API keys
An API key or OAuth token can be as powerful as having your full username, password and second authentication factor (i.e. MFA, 2FA). Google keys tend to be locked down to specific things — you don’t often see access to all Google services from a single key.
In addition, services like IFTTT or Zapier can be used to automate workflows across — like setting an email from a particular sender as ‘read’. Or, in another example: “as soon as the clock hits 5pm, mark all emails as read and move them to the ‘archive’ folder”.
Looking at the screenshot above, Monument Valley is an older game that this user probably hasn’t played in years — that key could probably be revoked. The worst case scenario is typically just that an application will request access again, so it doesn’t hurt to revoke something if we’re not sure why it’s there. Each item removed from a list like this potentially reduces our exposure — the number of points an attacker can use to gain access to our gmail account.
So what can’t you check?
Related to these API keys, one of the problems is that I don’t know of an easy way to verify that 3rd party service is doing what it says it’s doing.
I’d recommend setting a regular reminder once a month or so to check your application permissions, login events and other links listed in this post. If none of these provided that ‘eureka’ feeling that revealed what was causing that uneasy feeling, the next step is to change your email password. Enable multi-factor authentication if you haven’t already. Follow these and other suggestions Google lays out here:
Is there anything I missed? Let us know in the comments!
*** This is a Security Bloggers Network syndicated blog from Savage Security Blog - Medium authored by Adrian Sanabria. Read the original post at: https://blog.savagesec.com/worried-someone-is-accessing-your-gmail-account-1c14e2039e6b?source=rss----8fb937e95e56---4