Many people don't realize just how
valuable their email account is
. Now, thanks to researchers at the
University of Illinois at Chicago, a
nifty tool called Cloudsweeper
calculates how much your account
would be worth, if cyber-criminals
ever managed to get control.
Whenever someone's email gets
hacked, whether through a phishing
attack, malware, guessing passwords,
or plain brute-force, a common
complaint goes something like this:
"Why did I get hacked? There is
nothing interesting in my account."
The thing is, the criminals aren't
looking for exciting gossip buried
within your correspondence or looking
at the pictures you've emailed people.
They are looking for valuable data,
such as passwords to other accounts.
Your email account is quite frequently
used for password resets. If someone
gets control of your account, that
person can search through the saved
messages and figure out what other
sites use the email address for
account recovery. Access to your
online banking account, login
credentials for Facebook and Twitter,
and details for iTunes and Amazon
accounts are all accessible via your
email account. I know many people
who treat their email accounts as
secret storage, frequently emailing
private keys and password reminders
to themselves.
My Gmail Is Worth $15
Enter Cloudsweeper, a project from
researchers at the University of
Illinois at Chicago. The tool scans all
the messages in your account to figure
out what other services use the
address to send password reset
emails, or to login to the service. The
tool also tracks services that sent the
actual password when the user
clicked on the "forgot password" link.
The tool assigns a dollar figure to the
data pieces found to determine how
much the account is worth in the
underground market.
I ran one of my Gmail accounts
through Cloudsweeper, and it
determined my account would be
worth approximately $15.30 to bad
guys. I was surprised, because I use
this account purely for accessing
Google services and don't use it to
sign up for third-party services (I
keep a separate account for that) or
for regular correspondence (a
different account for that). I'd
forgotten that I did use this account for
one of Twitter accounts, as well as
my Kindle account on Amazon.
According to the tool, my Amazon.com
account was worth approximately $15
to the criminals and Twitter was worth
$0.30.
There were some false positives, as a
result of the fact that I long ago used
this account for my PayPal account.
I've since then changed the email
address associated with PayPal, but
since I still had some of their emails
archived, CloudSweeper flagged the
service as a potential risk. I asked a
friend to scan his account, and
Facebook popped up (worth $5) on his
list of risks, except he doesn't have an
account on that social network. The
alert seems to have been fooled by
various Facebook friend requests he
received in the past that he never
deleted.
How Much Are You At Risk?
Cloudsweeper uses prices for account
types and data collected from various
sellers across multiple underground
forums to calculate how much the
information in the user's email
account is worth, said Chris Kanich,
assistant professor at UIC's computer
science department and principal
organizer of the project. It uses OAuth,
so you just have to be logged in to the
account when you run the "audit" from
the project's page. No passwords are
stored, and you can just revoke
permissions at the end so the tool no
longer has any visibility into your
account.
If nothing else, this tool is great for
spring cleaning, to wipe out some of
the old emails that you don't need to
keep anymore. Close accounts you
aren't using, or at least make sure
your information has been removed.
And once you realize just how
valuable your account is,
Sources: PC Mag
No comments:
Post a Comment