Someone has your password, Google stopped this sign-in attempt.

Nothing to do with ransomware, but stimulating in terms of security: this is the subject of the email many users received in these days on their Gmail email account and on addresses configured as recovery/security address or as forward. The email with subject “Someone has your password, Google stopped this sign-in attempt.” comes from Google IPs and warns its users about a “stopped this sign-in attempt” due to the fact that “Someone just used your password to try to sign in to your Google Account, using an application such as an email client or mobile device.”

The unauthorized access was prevented because “Google stopped this sign-in attempt, but you should review your recently used devices“, that means that the password was correct but Google prevented and stopped the sign-in attempt all the same, inviting you to check whether you typed the password in or it was someone else.

Checking the details of accounts involved in this weird behavior, we detected many IP addresses – namely IPv6 – belonging to Google ASN, for example:

• 2607:f8b0:400d:c0d:0:0:0:206
• 2607:f8b0:4002:c05:0:0:216
• 2607:f8b0:4001:c0b:0:0:223

All of the warnings report “United States” as the source of the unauthorised access and, we can even check the details of Google last account activity (lower-right corner of the Gmail main page) to browse every single sign-in:

Weird POP3 connections come from Google IPV6 addresses, some of which are reported below:

• 2a00:1450:4010:c07:0:0:0:213
• 2a00:1450:4010:c07:0:0:0:203
• 2a00:1450:4010:c07:0:0:0:20a
• 2a00:1450:4010:c07:0:0:0:207
• 2a00:1450:4010:c07:0:0:0:206
• 2a00:1450:4010:c07:0:0:0:20e
• 2a00:1450:4010:c07:0:0:0:225

As you can see, also IP “227.92.36.136” is involved in the stopped sign-in attempt:

The detected sign-in from IP address 227.92.36.136 looks weird too because this address belongs to IANA Special Use IP addresses, that is addresses – starting with a number between 224 and 239 – “used for IP multicast. IP multicast is a technology for efficiently sending the same content to multiple destinations. It is commonly used for distributing financial information and video streams, among other things.” as we can read from the 227.92.36.136 IP whois details:

NetRange: 224.0.0.0 – 239.255.255.255
CIDR: 224.0.0.0/4
NetName: MCAST-NET
NetHandle: NET-224-0-0-0-1
Parent: ()
NetType: IANA Special Use
OriginAS:
Organization: Internet Assigned Numbers Authority (IANA)
RegDate: 1991-05-22
Updated: 2013-08-30
Comment: Addresses starting with a number between 224 and 239 are used for IP multicast. IP multicast is a technology for efficiently sending the same content to multiple destinations. It is commonly used for distributing financial information and video streams, among other things.
Comment:
Comment: A full list of IPv4 multicast assignments can be found at:
Comment:
Comment: http://www.iana.org/assignments/multicast-addresses
Comment:
Comment: A document describing the policies for assigning multicast addresses can be found at:
Comment: http://datatracker.ietf.org/doc/rfc5771
Ref: https://whois.arin.net/rest/net/NET-224-0-0-0-1
OrgName: Internet Assigned Numbers Authority
OrgId: IANA
Address: 12025 Waterfront Drive
Address: Suite 300
City: Los Angeles
StateProv: CA
PostalCode: 90292
Country: US
RegDate:
Updated: 2012-08-31
Ref: https://whois.arin.net/rest/org/IANA
OrgTechHandle: IANA-IP-ARIN
OrgTechName: ICANN
OrgTechPhone: +1-310-301-5820
OrgTechEmail: [email protected]
OrgTechRef: https://whois.arin.net/rest/poc/IANA-IP-ARIN

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: ICANN
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://whois.arin.net/rest/poc/IANA-IP-ARIN

Other reports list accesses during October 10, 11 and 12 made by IP “255.104.1.140”, an “Internet Assigned Numbers Authority (IANA)” IP too described in the whois as: “Addresses starting with 240 or a higher number have not been allocated and should not be used, apart from 255.255.255.255, which is used for “limited broadcast” on a local network. This block was reserved by the IETF, the organization that develops Internet protocols, in the Standard document and in RFC 1112.”

Users can browse the Recently Used Devices page to display the details about the unknown device which attempted the sign in, including IPv6 address and geolocation built by Google security. As you can see in the picture below, the source of the sign-in attmept is “United States” and the IP is one of Google ASN ones.

The first impression is that this is a kind of “bug” which takes Google into detecting itself as a harmful sign-in attempt. There seems, so far, no potential harmful unauthorised access involved, accounts are still reported as safe and accesses were stopped by Google. Also Google connected addresses have reported such attack alerts.

We are still investigating on the presence of IP “227.92.36.136”. Readers are welcome to comment posting their experience on this topic so as to help us and other researchers join evidences and draw a picture of what happened.

Questo articolo è disponibile anche in: Italian