Monday, January 17, 2011

Remove ShoppyBag from your Gmail account

(See below for removal instructions)

There seems to be a plague of these nasty ShoppyBag emails at the moment. As far as I can tell, this phishing/malware scam only affects GMAIL account users.

You receive an email, purporting to be from a friend, asking you to click on this button in order to look at a photo they have sent you. All you have to do is click and the scammers have gained access to your Gmail account, stolen your contact list and sent invitations to all the Gmail accounts on that list, telling them that you have sent them a picture. The site claims that you have to fill out their application form and agree to their terms in order for them to send emails on your behalf but everyone who I have spoken to, who have unfortunately clicked on the link, have told me that simply clicking the link did all the damage. Many backed out without completing the account sign up form and without agreeing to anything. It was too late though. They had already gained access by using a special API code (supplied by Google) that gives access to third parties and websites to your Gmail accounts.

What makes this worse is that Google, who own Gmail, know that these despicable scammers are targeting Gmail accounts and seem to be doing nothing to stop them. Looking on the Gmail forum sites, users have been complaining for months now, with little or no reaction from Google.

If Google remain silent and do not stop ShoppyBag from hijacking Gmail accounts then it would seem that ShoppyBag have Google's tacit approval to steal Gmail user’s contact lists and send their phishing scams to everyone on that list.

One person who wrote into the Google forums said that his Gmail account contained all his business customers. After Shoppybag bombarded all of them with emails, he has lost their trust and it has ruined his “parnosa”.

If you didn’t know, the motto of Google is “Do no Evil”!!!

See one of the Google forums here

How to remove ShoppyBag’s access to your Gmail account

The first thing to say is that these scammers have unfortunately already stolen your contact list. Some people on Question/Answers sites have suggested going into the ShoppyBag site and completing their form to close your account. People have informed me that people on the contact list still continue to receive the emails. Moreover, going into the site could be a security risk so I would not recommend this.

My advice is to do the following:

1. Send an email only to Gmail account holders on your Contact list...
a. Telling them to report all sent and future ShoppyBag emails to Google as "Phishing emails".
    To do this, click on the blue down arrow, to the right of the Reply button and click the "Report Phishing" option.

b. Tell them NOT to click on the link.
c. Apologise to them for giving ShoppyBag their email address.
d. Include the link to this page, or better still, paste the contents of this page to those effected.

2. Log into Gmail and click on “Settings” in the top right hand corner of the page.

Click on the third TAB across labeled “Accounts and Import”.
Scroll down to the bottom to where it says “Change Account Settings
Click on the link saying “Google Account Settings

(Log in if it asks you)

Under Security settings, the third line down, click on the link labeled “Authorisng Applications and Sites”.

Click on “revoke access” next to ShoppyBag's Google contacts to remove their access to your account.

3. Go back to the “Google Accounts Setting” Page and click on the first link: “Changing your password”.
Change your password to something with a combination of letters and numbers.

4. Log back into Gmail with your new password and go to your Contacts list.
Search through all your Contacts, deleting all ShoppyBag emails.

That’s all you can do I’m afraid until Google decide to act.

*** UPDATE ***

I found this legal site which is collecting information in order to sue shoppybag with a class action lawsuit.


Reb Mordechai said...

New post on those nasty scammers called "Shoppybag".

"Remove ShoppyBag scam from your Gmail account".

Anonymous said...

Nice tutorial! Only wrong. The whole sorry business is a regular oAuth addressbook import. They invented it for social networks, so you wouldn't give your password and feel safe about Facebook already. Google, who does no evil, is all machine intelligence. Phishing happens if you give your password to something posing as google - so, no phishing. don;t confuse poor machine by clicking the wrong button.

Reb Mordechai said...

Dear Anonymous,

Thank you for your comment.

However, I think your definition of phishing is too narrow and out of date.

It’s true that originally, phishing emails were a specific type of fraud which attempted to fraudulently claim that it originated from your bank and trick you into giving the criminals access to your account in order to steal money. Today, criminals and spammers have become more sophisticated.

“Phishing” can now be defined as an email which fraudulently claims to have come from a legitimate trusted organisation or person and commences to trick you into giving the actual sender of the email, personal and sensitive information in order to use it for criminal or even commercial purposes, without the person’s knowledge or agreement.

I am not a lawyer but as a computer professional, I'm quite happy with this working definition.

Phishing mainly involves identity theft and e-mail fraud for what any purpose.

Now lets look at Shoppybag’s email

1. The person by simply clicking on the link causes their personal contact list to be stolen by this site without their knowledge or agreement. The person has not agreed to join the site or completed any membership form for this to happen.

2. An email account name is set up in their name without their knowledge or agreement which implies falsely that that person has become a member of this site.

3. The site then sends an email falsely claiming that it was sent by the person on their contact list, falsely claiming that the person has personally picked a photo for you.

So the question is:

Did the person who’s name appears on the email account which you have received, (who is a person on your contact list who you trust), knowingly create an email account of that name and intentionally send you that email which states that he/she has “picked a photo for you...”?

The answer is NO! Therefore, I along with many others on the Internet forums who discuss this, would say that this is indeed a form of phishing.

Anonymous said...


Reb Mordechai said...

Thank you anonymous. I assume you meant that comment as a correction in place of "placid". I've corrected it.

Anonymous said...

I have received numerous notices that people with OTHER THAN G-MAIL addresses have received multiple Shoppybag invitations to view a photo. This is 100% fraudulent and seems to be a phishing scam website.

It ABSOLUTELY is NOT A SOCIAL NETWORK -but a malware application.

Terry said...

This does not ONLY affect Gmail users. Daily I get complaints from others with MSN and other e-mail addresses who complain of all the "Shoppybag invitations I keep sending them". These are fraudulent and I would love to know how to block any more being sent in my name and E-mail account #. I changed my password, but it continues to send these.

Reb Mordechai said...

Presumably, whichever email service you are using (and you don’t say which one), there has to be some option that gives these despicable people access to your contact list.
You’ll have to find it for your particular Email service.