Detecting suspicious account activity

Wednesday, March 24, 2010 9:15 AM

(Cross-posted from the Gmail Blog)



A few weeks ago, I got an email presumably from a friend stuck in London asking for some money to help him out. It turned out that the email was sent by a scammer who had hijacked my friend's account. By reading his email, the scammer had figured out my friend's whereabouts and was emailing all of his contacts. Here at Google, we work hard to protect Gmail accounts against this kind of abuse. Today we're introducing a new feature to notify you when we detect suspicious login activity on your account.

You may remember that a while back we launched remote sign out and information about recent account activity to help you understand and manage your account usage. This information is still at the bottom of your inbox. Now, if it looks like something unusual is going on with your account, we’ll also alert you by posting a warning message saying, "Warning: We believe your account was last accessed from…" along with the geographic region that we can best associate with the access.


To determine when to display this message, our automated system matches the relevant IP address, logged per the Gmail privacy policy, to a broad geographical location. While we don't have the capability to determine the specific location from which an account is accessed, a login appearing to come from one country and occurring a few hours after a login from another country may trigger an alert.

By clicking on the "Details" link next to the message, you'll see the last account activity window that you're used to, along with the most recent access points.


If you think your account has been compromised, you can change your password from the same window. Or, if you know it was legitimate access (e.g. you were traveling, your husband/wife who accesses the account was also traveling, etc.), you can click "Dismiss" to remove the message.

Keep in mind that these notifications are meant to alert you of suspicious activity but are not a replacement for account security best practices. If you'd like more information on account security, read these tips on keeping your information secure or visit the Google Online Security Blog.

Finally, we know that security is also a top priority for businesses and schools, and we look forward to offering this feature to Google Apps customers once we have gathered and incorporated their feedback.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

54 comments:

Chicouloum said...

How do you plan to do if someone is sometimes connected through a VNP which is situated abroad ?

coolbop said...

Just out of interest, is this message only shown to someone that logs in again with the original IP address range? And are they the only person that can dismiss this message?

If not, it would be trivial for a hacker to dismiss the alert without the account owner ever seeing it.

Hayden said...

This is a great addition! I would still like to see an option verify via SMS when making any changes to passwords and recovery options. If a hostile person gains access to your account by knowing your password, they could quickly change it and all your recovery options before you even see the alert, potentially losing access to your account for good. (this happened to my fiancée)

tonfa said...

It would be even better if the "connection detail" window had support for IPv6.

Currently it doesn't even show the hex address, it just shows "unavailable".

(the help would need to be fixed, there are some information that is only relevant to IPv4)

Clinton said...

This is a step in the right direction, but I was really hoping that one could configure Gmail to require Captcha or some other challenge/response if attempting to log in from some unusual location or IP address (based on previous activity).

How you implement this is up to you... maybe I could opt into such a service that would "reject" my valid authentication credentials (as if it wasn't correct) and ask me to enter it again... this time with a Captcha.

Jesse said...

My email account jesseinfo@gmail.com was taken over this morning and they started sending out emails like the one mentioned. I filled in the gmail form but the gmail team did not believe I was the owner of the account. All I want is for the account to be permanently close. Please help me!

junky said...

I'm trusting that google has made this system so its intelligent enough to notify the actual account holder of access discrepancies, rather than the attacker - who'd love to change your password immediately. This would be done, of course, by the same method of ip recognition, such that when you access via a familiar IP you receive the message, allowing you to change your password.

VadisH said...

Suppose my account has been compromised and I the warning message get displayed. Can't just hacker click the "ignore" at the above red warning message and the notification about stolen identity will be dismissed or am I missing something...?

Ratzlaff said...

This is great. Another nice feature would be assist the user in geolocating the origin of incoming emails. This would help greatly against phishing campaigns if the user could see that really nice deal from PayPal originated in Nigeria.

DJ_Max said...

Great in theory this sounds very good, but will users have the options to white list an incident trigger. For e.g when using proxy's or corporate/personal VPN's???

What about proxy relay networks such as TOR that hope server/locations???

Kimo C said...

It would be great if you could use derived location on the mobile devices based on their wifi/gps/cell towers to refine the location of the usage rather than the broad geo info based on IP address.

odin said...

Will there be a way to permanently add an authorized location? For example, a person lives in San Jose California, but his office proxy is in NY City. If he checks his email from the office with its IP geolocated to NYC, then drives home and 30 minutes later checks his email from home with his IP geolocation of San Jose, will he constantly be getting warnings or can he add both locations as valid or "safe"?

Andrew said...

I recently got hacked by the London guy. These security tips don't really help because he changed my password so I couldn't log in and is currently sending emails with another account.

Does anyone know how to disable sending emails from alternate addresses?

My understanding is that you can type in an alternate email address and all gmail does is email's the other address to "Confirm" that its yours. The only way to stop this is by ending it on the other email address.

Problem is, the hacker has access to his personal account, with which he can still send emails from pretending to be me.

fergal said...

This is a feature I'll hopefully never use - and paradoxically, one its great to have.

GeoIP databases have been around for years, the IPs are logged anyway - and yet of all the online services I use (banking, ecommerce) Gmail is the only that will warn me if this sort of thing happens.

Nice one, Gmail team.

vishal said...

hello , i received a email from my wife this morning with the same warning you showing here Pavni Diwanji, Engineering Director
( Detecting suspicious account activity ) , the person is been sending email everybody in her contact list and my wife is not in the town , wht should i do everyone is calling me , can u please help me

Nicholas said...

I often get messages to compromise my information through gmail.
I'm thankful that those in charge of gmail accounts have been doing a great job filtering these spam garbage emails.

PM said...

This is a great feature but does it stop someone from using a your ISP address as proxy address and then logging on ?

In friend circle this can happen when someone has recieved an email from you and then uses somewhat similar IP address to log into your account.

Mary Ray Lieu said...

I definitely appreciate the idea behind this. But since morning I have been trying to figure why my most recent access is some place in new york in "2009". I agree if there has been something like that in the past few weeks it makes sense to report it to the user. But a timing like that made me wonder if system time is off on any computer i use. And only at the other end of a long malware search do I read this article and presume the code looks through more than two years of ip address logs??

Ryan said...

Interesting that this post was made this weekend - as my wife's account has been hijacked by hackers. They have changed her password and security question multiple times, and she is currently locked out, while the hackers have free reign. We have tried to contact Google security, but received a message that the security mailbox (security@google.com) is over quota. Is there some other route we can use to contact the Google security team?

Anonymous said...

I have gotten a few emails from the Gmail team that state my account will be shutdown unless I provide my full name, Password, Phone # and Country. It is strangely worded and I am suspicious. Is this for real--is there anyone I can contact at gmail to verify authenticity?

None said...

Suddenly (two days ago) when I log into Gmail and click details to bring up the activity information window, I see this:

UnknownUnited States (AZ) (75.101.188.210)12/6/09

This IP traces back to "Amazon Elastic Compute Cloud" and I've never seen this activity listed, although I've checked the activity box since 12/6/09.

This only happens on my home computer, using either Google Chrome or IE7. Log in at work, this doesn't show up.

WinXP Media Center Edition
IE7 and Google Chrome
Norton Internet Security Suite
RealPlayer HTML5Video Downloader Extension

Have scanned with Advanced SystemCare and done full scan with Norton, nothing bad shows up.

Please help, I'm freaking out.

Many thanks,

ian said...

I (and my family just received the following email from my gmail account (which has been hacked in this manner)... How can I get my account locked quickly? (the hacker changed the password)

ffthack@gmail.com --- email follows---

I'm sorry for this odd request because it might get to you too urgent but it's just the situation of things right now, we are presently stuck in Scotland, we came down here on vacation. we were robbed, worse of it is that bags, cash and credit cards was stolen at GUN POINT, it's such a crazy experience for us and we need help with flying back home, the authorities are not being 100% supportive but the good thing is we still have our passports but don't have enough money to get on a plane back home, please we need you to loan us some money till we are back home to refund it back.

Thanks,
Ian.

BodyTalkerLisa said...

This same thing happened to a friend of mine, but what happened to me while she was having this problem, I had I got a weird highlighted warning message flashing above my email's area where I view all my messages. It wanted my user word and password , to see if it was correct. Since I have never seen anything like that before I ignored it thinking it was not referring to me and that maybe someone highjacked my account as well. Lisa Seward

Female said...

I appreciate the improved information on account activity, but would much like to understand how it can be that I repeatedly find the message 'this session may be open in another location' (sorry have forgotten exact text) given that I ALWAYS and INVARIABLY log out, and have my browser set to store no passwords and to delete all information upon exit. Is someone hacking my email from my own PC? If so, how? I have it firewalled, silent (effectively invisible on the internet), clean and free for viruses, have never found trojans on it, am the only one using it, and have a password for it. I even lock down the firewall at night. Note it happens more often to 1 account that I access at work, and so which may be subject to password theft via keyloggers. But, it happens too to my very private account that I never open except here at home. Many thanks in advance for input on this, how it can happen and what to do. E

Bloops said...

My email address was also compromised by a scammer (probably the same) who sent out email to all my contacts asking for money for being stuck in London. The problem is the scammer also changed my password and secondary email address so I cannot access my account.

I have already filled out the account compromised form but nothing happened. I also have email forwarding and sending set-up from my other account so I have definite proof that I own the account. Please help!

Dmitry said...

Please make a possibility to block access from china to someone's gmail account at all!!!
My account was hacked yesterday. I don't know HOW!

awheckman said...

I see that one can turn off alerts after waiting a week, which gives a valid user a week-long chance to log in and notice before a bad guy can avoid alerts. That's good. Let's say, however, that I am a frequent traveler between 2 different countries. Would I expect to get an alert each time I fly because I check email in country A and then a few hours later in country B? Or does the automated system learn from the recorded activity what is normal for me? What about having a more flexible alert configuration, where I can say "turn off alerts for countries A and B only" rather than turning off all alerts? That could be an option next to each activity record.

unknown said...

hi. i just received a likewise email from my friend who. her gmail account was hacked and now she cant sign in to change her password. the scammer/hacker also hacked her yahoo account. but she is able to retrieve the account, and found out a new email backup on her account she believes is the hacker: dannypoljak@gmail.com. where can i report this misuser?

François said...

It would be great (especially for those of us accessing GMail through IMAP) to have these security warnings available through a private RSS feed.

Jean-Francois said...

Is this alert already working? I tried to access my mailbox directly and through a proxy to change my IP source's country and I didn't receive any alert.

Saqib Ali said...

Is the suspicious behaviour is tagged for 'all' types of access (IMAP, ActiveSync, MAPI, GTalk etc) or just for Gmail Web UI.

Carlo said...

I need help everyone. My email and paypal account just got compromised last 14th of April. I made a transaction the fraud who compromised my email, paypal account and bank account. I don't know how he did it but he did! He made unauthorized transactions and transferred all my funds to his own paypal account before closing my account. PayPal made an investigation about the case and made a conclusion that there was no third party access to my account and closed the investigation. It was really upsetting! It left me nothing but hoping to prove that it was totally the fraud who closed my account since he got access to my email, my paypal and knows my bank account through our first transaction. Since paypal wasn't able to see see any third party access, if I could just prove that the IP address that accessed my email also accessed my paypal account, it could prove that it wasn't me who made the transactions and closed my account. Can anyone suggest how I could do this?

Mikhail said...

This alert is working and have provided me the valuable information about the recent account compromise. Unfortunately the damage was already done (not much, but unpleasant). At the same time this incident have shown me how sensitive indeed the information stored in my Gmail acc is. I have thought a bit how I would like to improve security (including taking my info back to PC - discarded as not secure). Here are some suggestions:

1. Provide a gadget or an iPhone app to generate a temporary secure number in addition to the password (just like Blizzard provides for its BattleNet users - very, very convenient and unbreakable - take a look, it's nice). I WOULD GLADLY PAY FOR SUCH A FEATURE.

2. My account was compromised from a South Korean IP. Why don't provide an option to restrict the access geographically? It's not a 100% solution, but still an improvement.

3. I would like to press a button near this South Korean IP address: "yes, this is a bad intrusion, not a false positive". The lists of these IPs addresses can be later shared with law enforcement.

Thank you.

Aye said...

My account has just been conpromised. As the hacker logged in to chat, I see it as I was using another account. So I logged in before the password is changed. I get lucky and I can get in and change the password. The strange thing is his/her IP is not even in the list of recent activity!. I wonder how he/she manange to do that. Is there a setting that allow users to do that? So please help me.

Osman Gürsoy said...

Just put a notification on front page saying last login date and time. So We will know whether someone else uses my account or not!
What do you think?

Stephen said...

Hello....yesterday my account was compromised as well. The same e-mail has been sent to all of my friends and family, some of whom have corresponded and had conversations with the impersonators. They have also deleted my facebook account. I have lost vital work-related material that was on the account. I am very upset that Gmail has no interest in helping me. I don't know what to do. I may lose my job because of this. I have filed a complaint with the indicated ic3.gov form for white collar crime but have heard nothing. I have also called Google and was told they couldnt help me. I have filled out the account impersonation form for Gmail and that was fruitless. The hacker has also changed the alternate email address and have locked me out completely, preventing me from changing my password. Does anyone have the solution? All that essentially needs to be done is to verify the user and then simply deactivate the damn account. What is the big deal? Thanks for nothing Gmail. I will be letting everyone I know and current friends and family who use Gmail that they should go to another server and start a new email address and cancel their Gmails because this could happen to anyone and Gmail will do nothing to help.

staticfinal said...

Are OAuth logins whitelisted? It would defeat the purpose of OAuth login support when suddenly all the users of our service would get a warning that their "account has be compromised" when our servers try to access their accounts.

tzm said...

Can get more detail of account activity rather than IP address ?
what i mean is if someone check from a public access center like a cyber cafe of an ISP ? now is we can only know the public ip address of the ISP.. can not know more than that..

VadisH said...

tzm, great idea! I'd also like in case of suspicious activity to have an undo option on whatever happened whilst hacked connection.

Roxy Unscripted said...

I'm not sure if what I received via a Google warning alert is the same thing mentioned here as the Google warning alert I received couldn't have been related to my email account do to the fact I received it the instant I logged
onto my brand new computer for the first time.
I'm curious if any one else has had a similar experience? The warning gave in depth details to
include the mobile phone number blocking me and redirecting all my Internet traffic and access. It gave me a detailed account
of the location i.e the hotel in the San Francisco area and even stated the person was located in the cafe within that Hotel.The alert also listed a lot of personal info about me as well as the hacker. Has anyone else experienced this type of Google alert? It was such a blessing when I received this alert as I had been blocked from accessing the Internet for at least 8 months. I knew it was my then estranged husband and upon Google sending me the warning alert providing me all the proof I needed against my now ex-husband. I took a snap shot of the warning alert and have made several copies buried with in numerous Cd's. I bring this up because My husband is a wolf in sheep's clothing within his Profession as an I.T & information security Consultant/Pro and very good at what he does. He has the power to turn a persons life upside down if he feels they are a threat. I had never heard about the Google e-mail alerts until now.

all comments appreciated.
thejusticetrain
a.k.a
roxyunscripted

tzm said...

As far as i know , last account activity can't help much..
if someone use our mail from cyber cafes...those cafe ip are behind the firewall ip address of internet service provider..
last account activity can not pass the fire wall ip of the ISP
..so can't get exact location

RBDurgin said...

Where do we send reports of unauthorized access to?

NIck said...

I have to say... I am a bit mad that I have been locked out of my account due to "suspicious activity" and since my phone does not allow texts I had to fill out a form that requires 24 hours of investigation. I need to use my e-mail now, but I'm stuck with this problem.

I just used my e-mail yesterday night and I checked it today and didn't even let me sign in, it just locked me out saying that due to suspicious activity on the account I need proof some of the info I don't even remember because it was so long ago.

I used my brothers account to post this

aashna said...

This IP address is hacking gmail accounts and sending spam out to all the contacts in the account

Browser Italy (115.52.226.160) Nov 8 (1 day ago)

You should BLOCK them from ever accessing google. Or find a way to prevent this.

Jay said...

aashna,

Thank you for your report. We have sent it to the appropriate teams for investigation.

Google Security Team

domakesaythink said...

Hi,

My brother had this incident where a malicious person hacked his gmail account and deleted e-mails.

We actually know who is this person (he did this from his home connection, the IP address matches emails he has sent us) and we pressed charges but the Police told us that we should try and contact Google to make sure the Access logs for the gmail account are not deleted... Police investigations in Portugal take forever and I have screenshots of the "Activity on this account" screen showing the entries that correspond to the ilegal activity but those aren't valid in court.

who should I contact about making sure that those access logs don't get deleted? so when the Police makes the official request for them they are still there.

Cheers,
Francisco

Jay said...

Francisco, Law Enforcement should request preservation. They can contact their regional Legal Attache office for guidance.

Jay, Google Communications

DragonIcons said...

My google account activity continues to say that my IP address is from United States, NY (where I was last year) even though I am now in South Korea? The account activity and my use of gmail match up fine (ie it logs perfectly when I've used gmail 2 minutes, 1 hour ago etc), but for some reason the IP location for al this activity keeps saying New York? Is there something wrong with my computer?

R@jU said...

On the recent activity window the hacked ip address is red marked ,if the google automatically tell these users r hack ur mail or its our duty to check anybody will hack our page r not ....................

pls on help how to view all the recent activity address for a month r a year............

is the red marked only the hacker r any thing not been marked?

sivaganga bejawada said...

Is there a way that we can put accessing filter at country level/ state level accessing of the account?.

article43 said...

Can you please let me know how to leave this feature on, so that it shows the last ip address every time I log in.

Thank You.

Glen Gage said...

I've had two such warnings but haven't ever found evidence of any use of my account by the hacker. Did they actually get access to the account or did you ask them security questions and so not let them in?

guran said...

How can I TURN OFF!!! this highly anoying and dangerous "feature". I travel frequently and DO NOT WANT or need my wherabouts to be emailed, in an unsecure message. This is so disturbing so i have to avoid using my Google-enabled devices in some countries I travel to.
This is a feature that should have a full "disable" mode but I have not found any way to turn it off!

007SQL said...

I am in a loop due to changing my password last night via Lastpass (which normally saves the new generated one properly, but didn't for some reason). so I tried again a couple times. I do remember a recent password, but not the most recent. Very frustrating to be in a loop locked out for "suspicious activity" on my own account due to some malefunction -and even my second factor is not working.