Closed Loggsie closed 11 months ago
Hey thanks for your input. Since I'm not (yet) very deep into Cyber/Info Sec, I would like to Include this whole reply of you in the README of this Project. If you have anything that may can help on the detection & cleanup I would really appreciate your input.
Sorry for the late response. Just checked random here on github and saw this comment as im answering rn ^^"
Sorry for the delay in getting back to you. I can't think of anything else of benefit other than the same 2FA weakness is present with YouTube, so you may want to include this too.
Sadly while I'm computer literate, I too have limited malware understanding and cannot be of much help in this field.
Close. Keep it for documentation.
This issue first came to my attention from a Google notification of a suspicious app on my Windows PC.
Having just run the removal tool 1 of 12 issues remain/are present.
No reputable AV vendor flagged anything of concern when I checked.
Changing passwords and setting two factor backup again per Google recommendations the problem remained present. Additional detections were notified by Google.
I had identified the probable device, though my Chrome browser syncs with the family PC too and neither were detecting anything malicious so couldn't be 100% sure about the culprit device.
The only Google services running from these two devices to which I'm already signed in are GDrive (no auto-startup), Chrome, Brave and PlayStore via the WSA Project.
I delved a little further paying attention to my local app data folders for Google and Brave. Zipped them up and uploaded them to VirusTotal. Chrome came back clean, Brave (my default browser) however flagged Win32.Troj.Undef.(kcloud)
There maybe no connection, however it's worth pointing out to others to follow the above.
Lesson to be learnt here is, if you don't already have an AdSense account and even if you don't intend to in the future, create one and protect it with two factor. Two factor isn't demanded for the first two weeks so even if you have two factor enabled it isn't enforced for the first two weeks.
The threat actor was able to hijack my browser session, create an AdSense account by inviting ly4997410[at]gmail[dot]com, then with existing access set themselves as an admin and commenced an AdSense campaign with the intention of funding it from my saved payment methods.
Thankfully in my case Google prevented use of a newly created AdSense account, there is no financial loss. I do know from my Google activity report my Drive files and pictures were accessed.