Are you Sure your Email isn’t being Hacked?

Ads by Google

email trap   Are you Sure your Email isnt being Hacked? In the interests of full disclosure, I didn’t come up with this idea. I read about it in a computer magazine a year or two back but of course when I wanted to refer to it for this article, I couldn’t find it! But someone on Digg eventually managed to find it so here is the original article if you want to see it.

As email providers give away more and more storage space, more and more personal information is being stored in those accounts. People are increasingly using their email accounts for more than just email – it has become their online document storage area with backup documents such as passwords, bank account numbers, account usernames, scans of correspondence and much more. Even if you don’t use your email for this purpose, you may still be inadvertantly revealing personal information in general conversation emails to family and close friends. A 6GB Gmail account or an unlimited space Yahoo account is potentially an information bonanza source for identity thieves who manage to figure out your email password and then go snooping.

But if someone HAS cracked your email password, it may not be apparent to you. A snooper can easily read an email then mark it as unread again. So the best thing to do would be to set up an “electronic tripwire” so if someone breaks into your account, you’ll know about it.

Ads by Google

Here’s how to do it :

    1. Sign up for a website hit counter at www.onestatfree.com. You can leave a fake name and whatever URL you want (I used Google.com for mine).

    2. You will then receive a welcome email from OneStat with a text attachment called OneStatScript.txt. Download this attachment to your computer and then delete the email (you don’t want any email snoopers finding it later). But before deleting the email, write down your OneStat account number as you will need it later.

    3. Change the name of the text document to something that will make the email snooper salivate such as passwordlist. Also change the file format from a text document to a website page. So make it something like passwordlist.htm .

    4. Email this newly-renamed file as an attachment to the email account you want to monitor. Make sure the email subject title also lures the snooper in (maybe something like List of Passwords. You get the idea :).

    5. The trap is now set. Basically if someone opens the email and opens the attachment, OneStat will record a hit. If you then log into your OneStat account say once a day, you will see how many hits you have had to your attachment.

    onestat   Are you Sure your Email isnt being Hacked?

The OneStat account page then gives you details on each “visitor” including the date and time they accessed the web document and more importantly their location and IP address!

onestatipaddress   Are you Sure your Email isnt being Hacked?

So how does having this information help you? Well first of all, it will alert you to change your password to something stronger. Secondly, if you see the snooper’s location and you only know one or two people there then it narrows down your list of potential suspects.

By the way, I recommended signing up for One Stat because the author of the original idea mentioned them. But if you know of any other hit counter services that send text documents to your email address, then please mention them in the comments. I don’t have any financial advantage recommending One Stat so I am perfectly happy to consider alternative companies.

Ads by Google

66 Comments - Write a Comment

Reply

Syahid A.

Very nice use of onestat Mark. I will definitely try this on my email account.

erik is a twit

Too bad the DEFAULT for ALL clients and webmail alike is to NOT SHOW IMAGES.

email security = encryption

Don’t want someone reading your email? Use a secure environment, and follow security best practices.

All web servers default to logging referer information. Do it yourself if you must.. keeping in mind its a waste of time given how images are NOT loaded by default in email.

Email from one sender to another is not a one step process. It can be intercepted on anyone of the stops, and more likely so if one of the stops is via an AT&T router since they’re whored themselves out, along with google, to the NSA.

Reply

TechSilo

Wow! Very nice tips! I never realize people can hack our email easily, and honestly I dont care about it. Since I’m using Gmail, I think it 100% safe. We trust Google, do we? I’ll definitely try this out. Hope the One Stat dont get hack later on.. ;-)

Jordan

I’m sorry, but most things are not 100% safe, GMail included.
For example, if you’re not using a secure connection to GMail, and you’re on the same network that I am, then I would be able to sniff your traffic, copy your cookies and log right into your account, no password needed. I would not know your password, but I would have full access to your account. Please don’t assume you’re 100% safe.

kunal

But after getting the ip how can one know the password???
plz help

Tara Kelly (PassPack)

@TechSilo

Yeah, unfortunately like the article mentioned, people are using Gmail to store their passwords. This is a good trick to figure out if someone manages to get in … but it’s probably just better NOT to store sensitive info in there in he first place.

At least for passwords, there are tools out there built to protect them properly.

Why you need a password manager.

Cheers,
Tara

RandomReader

Nicely plugged your own site there!

Passpack Client

Passpack was actually recommended by a friend and private investor. I tried it and had some problems with the site. I’ve sent in at least 4 tickets to the “customer support” and never heard a peep. Nice concept, poor execution.

Reply

Jack

Correct URL for OneStat free hit counter should be:

http://www.onestatfree.com/

Aibek

Changed !
Thank you

Reply

robojiannis

one way to secure your emails is Pretty Good Privacy. You can encrypt the mail you are sending and also put a signature on them.

No cracker will phish them on their way and your signature validates your identity.

Reply

Prakash

This is surely a grate piece of tips that should try everyone, I think. Thanks for sharing this new idea.

Reply

Peter

That seems like a lot of work. If you have any concerns that the account has been compromised why not just change the password and be done with it?

Mark O’Neill

Yeah but the whole point is that there is no way to know the account has been compromised. This method alerts you that the account has indeed been compromised.

RandomReader

In Gmail, changing the password might not solve the problem. If someone has already hacked your account and has an open session, and you change the password on your computer, the other other one won’t be kicked out of your account. Its current session will remain active and access to email unhindered.

I tried, and that’s true from my experience.

yugun

you can logout all other sessions by clicking ‘details’ link at the bottom of the gmail page.

Reply

marc

sounds like an a good idea, i have to try this out!

Reply

Justin Shattuck

Mark:

Although this may function to reveal someone snooping your inbox; it is not going to catch someone who is definitely intelligent enough not to be caught. To be completely honest, especially as an individual with a background in security; it would not be executed. The file would be edited initially through vi, notepad, or any other text-based editor to reveal its contents prior to any execution.

This prevents people from having things exposed. However, using this psychology against hackers is entertaining because it is the same psychology that is used against their targets and victims.

Decent write-up but I don’t think it is going to stop anyone from doing anything; especially if they know what they’re doing.

Mark O’Neill

Oh I never said it was foolproof. I for one wouldn’t fall for it. But there’s a lot of stupid people out there that would click on the attachment. So there’s no harm in trying it and seeing who you snare with it.

Anonymous Coward

I believe the harm is an implied, yet false, sense of security.
Since you speak of “a lot of stupid people” on the bad side of the fence, you may want to preface your article with some notes about the flaws in your implementation to keep the “stupid people” on the friendly side of the fence from lapsing into a false sense of security and thinking they haven’t been compromised when they actually have.
I place “stupid” in quotes because I am reusing the term, not intending it for the actual meaning it implies.

Your idea is novel but I would recommend emphasizing 3 things a bit more:
– Password security in the first place (good password practices)
– For the article to work two HUGE assumptions are being made:
– The person who has succeeded in logging in is going to find the bait
– This person is going to bite the bait and open the attachment in a browser, which assumes:
– This person thinks the victim is silly enough to have a password list e-mailed to himself with most e-mail traffic is plaintext and insecure in the first place.
– This person is silly enough himself/herself to open an html attachment in a browser as opposed to vi, notepad or your editor of choice as mentioned by Justin. Most e-mail programs don’t deliberately disable the loading of images and external scripts from HTML e-mail for fun.

Reply

Jack Sparrow

Sometimes I get into my ex-girlfriend´s mail account to read her emails, I didn’t hack it, I have always known the password because I created the account and she never thought to change the password even after our breakup.
I read it then I always mark the email as unread.
Yeah I´m a bastard but I cant get over her.
http://www.spymac.com/details/?2146727

Reply

marsteel

if the hacker blocks his pc’s outbound connection to onestatfree.com?

Reply

Eric

Like Justin said, this doesn’t seem to be helpful against hackers…

Rather, IMHO, I think this is better suited for catching your roommate/spouse/siblings/parents checking your e-mail rather than expecting to catch a hacker.

I know you say its not meant to be foolproof, Mark, but it still gives false hope… and false hope that your account has not been taken over is the very thing your system is supposed to fix =P.

Reply

Stolen

Looks like the original article was written by Erik Larkin at Network World:
http://www.networkworld.com/news/2007/072607-set-a-hacker-alarm-on.html?zb&rc=sec_services

Reply

Jeroen

Or use a embedded counter image on a seperate website as a counter. And save a normal HTML mail without any a attachment that might not be opened. And hope the email gets openend with auto download www images on.

Reply

Steve

This is pretty lame. You have to check *every single day* just on the offchance that somene has not only hacked your account, but taken the bait. That’s a lot of negatives, and probably some false negatives. It seems to rely on someone being smart enough to figure out your password, but dumb enough to think that your “passwordlist” is going to be stored on some external site with no password. Uh…

I can think of security measures that would work (eg, an innocuous looking image or something that you must click within 5 seconds of logging in or trigger a password-changing alert), but they’d have to be built into the email software.

Steve

Reply

Markus Diersbock

This would never work.

A savvy techie would open an unknown html doc in a
text editor first.

Reply

Ben Metcalfe

It’s a nice and elegant method, but as mentioned above has holes and weeknesses.

I think it just supports the point that if your email box is at all sensitive (passwords, accounts, etc) you should be changing your password once a month at the very least.

Ben

Reply

hedgie

Another thing you can do, especially if you are using Gmail is go into the .txt file, search for “fraud click” and change it to something else (because in the gmail message and if you open the html file in gmail it shows the alt text and link text in the message summary. (there are two instances of “fraud click” in the script.

Reply

Justin Shattuck

This is all ultimately worthless. The real issue; if your email service is compromised comes down to good old user-prevention. Create strong passwords, change modestly strong passwords (less than 7 characters,) regularly. Do not save passwords in your browser, text files, or on post it notes under your mouse pad!

Scan regularly, keep your computer tidy — fundamental elements that should all be followed prior to even feeling safe on a computer. Prevention is key to successfully maintaining your identity, online or off-line.

Stay ahead; be proactive!

Reply

Roman Geyzer

Although I haven’t personally used this service, there are only two “effective” ways to count a hit on an email. The first is if a small image, usually a 1×1 pixel image, is embedded in the page and is hosted by the counter service website OR for there to be a script that is fired off when the page is opened…again, hosted from the counter service website. The trouble is that most email browsers have a “click here to download images”. Only if the user grants permissions to download images will anything besides cleartext be displayed, rendering the hit-counter inoperable. A smart hacker would not likely click to download images. But you’re roommate – you’d probably catch them without much trouble :-)

Reply

Jordan

For GMail users it would be better to embed the counter HTML/image or whatever, directly into an e-mail so it is opened when the e-mail is viewed. GMail users will have to click “Always Display Images for xxx@xxx.com” to ensure that it will be accessed. People with their own domains can set up their own snazzy traps, to avoid using third-party stuff. For example Apache with MultiViews enabled in the .htaccess will allow such a thing as tracker.gif.php that will be accessible as tracker.gif, when accessed you could write the data to a log file, or send an e-mail to your phone. Snazzy indeed.

I’m gonna go make my own right this second.

Reply

terry xu

Greate idea.

I’ve just try it out. Hope nobody have stole my gmail account. It’s terrible.

Reply

Brad

PC World had something on this a while ago; I subscribe to it.

Reply

chris

great! i just did this.

Reply

mark

haha, very nice trap!

Reply

kualla

This is exactly the one security feature I wish google had (but my idea was slightly different)…

Knowing a lot about web security vulnerabilities this has always made me very leary about using email anywhere but my own home and even then a bit worried someone could attempt to hack or crack into my account.

My idea for Google email which I DID recommend to them is that they simply put a last login time or last accessed time. Simple yet very effective but until then this method will have to do and is a great idea. Only one downside about my method is that if a Google employee were to log into your email account and snoop around they could simply reset the last login time back. So in a way this is more secure against Google but then again Google could simply download your email as a text only file and circumvent the HTML from being loaded

Reply

dave

Why doesn’t gmail just show the IP/ISP and time of the last login. If it’s not your IP or at the wrong time you’ve been hacked. Some linux distros already show this info when you login via terminal.

The only way round this is for the hacker to access the account from your connection at the same time you do. Not many hackers will go to these lengths.

Reply

Sangesh

I will try these suggestions. Thanks for this.

Reply

kaushik

How about being a little alert so that your account don’t get hacked in the first place?

.

If you account is hacked, 99% of the time you are fault.

Reply

Shanti Braford

Nice tip =)

I’ll have to try this one.

Reply

Larry Lizzard

@Dave

My online bank account does the same. It shows the last time you logged in and the IP address.

I have submitted feedback to Gmail through their Help > Feedback. If everyone reading this, does the same, Gmail should pick it up soon I hope.

A friend of my wife had the same problem with an ex-lover stalking here. He had placed a key logger program. That friend is blond, so she didn’t know how to remove it ;-) This guy went quite crazy, even stalking here father etc.

Reply

Steven

Would never work if the guy has half a brain… Why would you execute a file called passwords.htm? No one stores their passwords in an HTML file, if you’re that new where your passwords are stored in a single file; you probably don’t know how to create an HTML file.

The best way to protect your email account is good and simple; change the password often, and check your settings… make sure no one setup all your messages to be forwarded somewhere else.

Reply

Ianf

How is that an “electronic tripwire”?

For starters, the indicated method doesn’t tell you IF your email account has been hacked UNLESS this “honeypot-sounding” file accessed online; a dedicated “cracker” (not “hacker”) would surely download it to desktop/ inspect first offline. Clearly, it assumes that all crackers are utter morons, unable to see through such gee-advanced plot, such as this one of yours.

There are social engineering and technological methods to detect mail intrusion without giving the game away, but nowhere near this simplistic, and this is not the forum to disclose them, thus educating wannabe-crackers.

Reply

Argo

I store my password on passpack.com PassPack. It is a great solution, in my opinion. I love 1click auto-login

Reply

ldenoyer

Will this trick tell me if FISA is reading my mail?

Reply

John

Here are two freeware programs that can also protect your email and all your passwords.

PointCrypt can be used to quickly encrypt any emails you send between other people you know. You only have to make two clicks to encrypt and decrypt the email contents. Strong BlowFish 64 encryption.

http://shareware.pcmag.com/product.php%5Bid%5D91868%5Bcid%5D253%5BSiteID%5Dpcmag

Screen Saver Override has several features within, one allows for you to type in a simple password that you can always remember, then highlight it, and then press a function key (F8, etc). The password will be converted to a complex string from 8 to 32 characters long (you choose the length). This hard password then replaces the simple password where upon you can simply hit enter.

http://shareware.pcmag.com/product.php%5Bid%5D91932%5BSiteID%5Dpcmag

Also can search: Gulf Coastal Software
at: http://www.simtel.net

Reply

Gary

A far superior method is to use http://linkblip.com/
Free, automatic email notification.
Hide the linkblip url using another url shortening service eg. snurl.com if you want.

wantadance.blogspot.com

Reply

Thomas Paine

http://www.gnupg.org

If your going to use any e-mail program… encrypt everything.
Especially if your going to use a “free” e-mail such as google’s gmail.
These people think they can snoop your mail and create a database on even the mundane contents.

They do this for marketing profits and to try to “make you a better webuser/consumer”. Their aim is to change how you use the web and what you see and find easily.

I say encrypt everything! Today no one should be communicating without using free public key encryption!

Reply

perx

hello, nice blog u got here……really interesting softwares and stuff
could you tell me the code of those big digg and twit,etc buttons at the end of ur every post….i mean its really cool….please can u tell me…pretty please….

Mark O’Neill

The Twitter one is from twitthis.com . The Digg one is from the Digg tools page – digg.com/tools/integrate . I’m not sure about the others. I will ask Aibek and get back to you.

Reply

Florian Wiessner

this will not work unless the guy reading your mail is a dumb-ass….

real identity thiefs don’t use ms-crapware and won’t let you get a hint from where they logged in, and if they do, they are using proxies or anonymizers…

kind regards,

mrjack

Reply

Duvar Kagidi

est il availible en Francais, my English not good

Reply

email marketing elite

February 14th, 2006 at 9: 53 am Feedblitz seemed to be the best I could find (feedburner integration is a bonus). With the paid version I don’ t get the heavy orange branding Mike speaks of, but I’ ve always wanted more in relation to the frequency. I want a console that allows me to do scheduling. More importantly, I want to check off which articles to include in the mailout. Email fatigue sets in quickly and blasting off every single post is a sure fire way to keep your churn rate high. The other question…

Reply

Hami

I dont believe on email hacking…! unless you give your password to somebody…

Reply

Davi

I dont normally keep important stuff in my email. email hacking seems to be a common thing now a days. you see million of sites being flooded on forums they claim to get a password for 100 usd..i wonder if it is true…Hami i never used to believe in email hacking until it happened to my girl friend.

A guy hacked into her account and sent people nasty emails.

Its sad…

Reply

Hami

haha thats very true… why such big compnies dont have a time stamp… that defnitly wil help!

Reply

Thierry

Dear Mark,

Nice review on Onestat function.

but does it work if we ourselves click in rather than the hackers, just to test it?

I’ve try according to what you’ve suggested; step by step.

& i’ve try click it on my own, & found out that one stat didnt make any hit records,

or am i missing something here?

Reply

Justin

It’s amazing how much people depend on their email each and everyday. I would recommend keep multiple emails, and split up your important details/communications. Keep a strong password- and remember to never give your password out !! This will prevent script kiddies, and not-so knowledgeable hackers obtain your email password.

Justin

Reply

Dave

This is an interesting way, but if people are consistent enough to check that everyday, they might as well use that energy on keeping their password safe in the first place.

Reply

Nan

Is it illegal to send this email to someone to find out what their IP address is to compare if that’s the person that has been in your email account?

Reply

Nan

I meant to say” Is it illegal to send this email to someone to find out what their IP address is to compare if that’s the person that has been in your email account?

Reply

Bakz

Simple app for local encryption of your emails and IM: flexcrypt.com

Works with all email clients. Free.

Reply

margaret

lol, i love it , thanks i really needed this info. diffinitly trying it..

Reply

kunal

Hey that was too good
But from the ip address how can we get the password of that person??????
Plz help…

Reply

Encryption Software

Like most people, my email is usually petty, personal stuff. For example, I would not be the least bit hurt if someone read the latest email I sent to my brother, which included a list of potential skis to ride on this winter. Most email is irrelevant and petty interchange. However, I would not be so foolish as to send any valuable passwords and usernames over an open connection, even one as seemingly popular as Google. I would definitely encrypt the contents first so only the end user with the right encryption key could open it (and I would tell them the encryption key on the phone or some other secure line; NOT in the email).

Your comment