The attacker basically set filters in Gmail to forward emails from the domain registrar to another email account. To ensure that the account owner would not notice the mails they were set to be deleted afterwards.

Most domain registrars offer web forms that can be used to retrieve account information. Godaddy for instance provides web forms to retrieve the username and reset the password of an account. They do send out emails to the primary email account. Those emails are however forwarded and deleted so that they can only be accessed by the attacker.

The two emails will contain the account’s username and a new password which can be used to log into the account and initiate a domain transfer to another registrar.

The exploit makes use of a specially prepared website to steal the Google Mail cookie from the user to set the filter in an hidden iframe. This is why the account owners were never logged out of their account by the attacker. He never had physical access to the account. But the filter was enough to hijack the domains.

Gmail users should regularly check their Filters to make sure that none exist that have not been added by them. A better solution would be to retrieve the emails from a desktop email client like Thunderbird or Microsoft Outlook instead.No word yet from the Google Mail team about the vulnerability.

Related posts

• Tracking Gmail Account Usage (2)
• Google Mail Account Security Tips (4)
• Gmail Increases Email Security With Phishing Protection (7)
• Use Gmail To Host And Share Photos (6)
• Truemark Email Identification (5)