Are you Sure your Email isn’t being Hacked?
Feb. 17th, 2008 | by Mark O'Neill |
In the interests of full disclosure, I didn’t come up with this idea. I read about it in a computer magazine a year or two back but of course when I wanted to refer to it for this article, I couldn’t find it! But someone on Digg eventually managed to find it so here is the original article if you want to see it.
As email providers give away more and more storage space, more and more personal information is being stored in those accounts. People are increasingly using their email accounts for more than just email - it has become their online document storage area with backup documents such as passwords, bank account numbers, account usernames, scans of correspondence and much more. Even if you don’t use your email for this purpose, you may still be inadvertantly revealing personal information in general conversation emails to family and close friends. A 6GB Gmail account or an unlimited space Yahoo account is potentially an information bonanza source for identity thieves who manage to figure out your email password and then go snooping.
But if someone HAS cracked your email password, it may not be apparent to you. A snooper can easily read an email then mark it as unread again. So the best thing to do would be to set up an “electronic tripwire” so if someone breaks into your account, you’ll know about it.
Here’s how to do it :
- 1. Sign up for a website hit counter at www.onestatfree.com. You can leave a fake name and whatever URL you want (I used Google.com for mine).
2. You will then receive a welcome email from OneStat with a text attachment called OneStatScript.txt. Download this attachment to your computer and then delete the email (you don’t want any email snoopers finding it later). But before deleting the email, write down your OneStat account number as you will need it later.
3. Change the name of the text document to something that will make the email snooper salivate such as passwordlist. Also change the file format from a text document to a website page. So make it something like passwordlist.htm .
4. Email this newly-renamed file as an attachment to the email account you want to monitor. Make sure the email subject title also lures the snooper in (maybe something like List of Passwords. You get the idea :).
5. The trap is now set. Basically if someone opens the email and opens the attachment, OneStat will record a hit. If you then log into your OneStat account say once a day, you will see how many hits you have had to your attachment.
The OneStat account page then gives you details on each “visitor” including the date and time they accessed the web document and more importantly their location and IP address!
So how does having this information help you? Well first of all, it will alert you to change your password to something stronger. Secondly, if you see the snooper’s location and you only know one or two people there then it narrows down your list of potential suspects.
By the way, I recommended signing up for One Stat because the author of the original idea mentioned them. But if you know of any other hit counter services that send text documents to your email address, then please mention them in the comments. I don’t have any financial advantage recommending One Stat so I am perfectly happy to consider alternative companies.
(By) Mark O’Neill is a blogger, writer and English tutor. Check out his blog at BetterThanTherapy.net
If you found this article useful then please help us spread the word by Stumbling It.
If you like this article then subscribe to MakeUseOf feed and get latest articles delivered to your Feedreader. If you want to recieve latest articles in your email click here. It's FREE!
[...] set up an “electronic tripwire” so if someone breaks into your account, you’ll know about it.read more | digg story Bookmark This Post Hide [...]
Very nice use of onestat Mark. I will definitely try this on my email account.
Too bad the DEFAULT for ALL clients and webmail alike is to NOT SHOW IMAGES.
email security = encryption
Don’t want someone reading your email? Use a secure environment, and follow security best practices.
All web servers default to logging referer information. Do it yourself if you must.. keeping in mind its a waste of time given how images are NOT loaded by default in email.
Email from one sender to another is not a one step process. It can be intercepted on anyone of the stops, and more likely so if one of the stops is via an AT&T router since they’re ****d themselves out, along with google, to the NSA.
Wow! Very nice tips! I never realize people can hack our email easily, and honestly I dont care about it. Since I’m using Gmail, I think it 100% safe. We trust Google, do we? I’ll definitely try this out. Hope the One Stat dont get hack later on..
I’m sorry, but most things are not 100% safe, GMail included.
For example, if you’re not using a secure connection to GMail, and you’re on the same network that I am, then I would be able to sniff your traffic, copy your cookies and log right into your account, no password needed. I would not know your password, but I would have full access to your account. Please don’t assume you’re 100% safe.
@TechSilo
Yeah, unfortunately like the article mentioned, people are using Gmail to store their passwords. This is a good trick to figure out if someone manages to get in … but it’s probably just better NOT to store sensitive info in there in he first place.
At least for passwords, there are tools out there built to protect them properly.
Why you need a password manager.
Cheers,
Tara
Nicely plugged your own site there!
Correct URL for OneStat free hit counter should be:
http://www.onestatfree.com/
Changed !
Thank you
one way to secure your emails is Pretty Good Privacy. You can encrypt the mail you are sending and also put a signature on them.
No cracker will phish them on their way and your signature validates your identity.
This is surely a grate piece of tips that should try everyone, I think. Thanks for sharing this new idea.
That seems like a lot of work. If you have any concerns that the account has been compromised why not just change the password and be done with it?
Yeah but the whole point is that there is no way to know the account has been compromised. This method alerts you that the account has indeed been compromised.
In Gmail, changing the password might not solve the problem. If someone has already hacked your account and has an open session, and you change the password on your computer, the other other one won’t be kicked out of your account. Its current session will remain active and access to email unhindered.
I tried, and that’s true from my experience.
sounds like an a good idea, i have to try this out!
Mark:
Although this may function to reveal someone snooping your inbox; it is not going to catch someone who is definitely intelligent enough not to be caught. To be completely honest, especially as an individual with a background in security; it would not be executed. The file would be edited initially through vi, notepad, or any other text-based editor to reveal its contents prior to any execution.
This prevents people from having things exposed. However, using this psychology against hackers is entertaining because it is the same psychology that is used against their targets and victims.
Decent write-up but I don’t think it is going to stop anyone from doing anything; especially if they know what they’re doing.
Oh I never said it was foolproof. I for one wouldn’t fall for it. But there’s a lot of stupid people out there that would click on the attachment. So there’s no harm in trying it and seeing who you snare with it.
I believe the harm is an implied, yet false, sense of security.
Since you speak of “a lot of stupid people” on the bad side of the fence, you may want to preface your article with some notes about the flaws in your implementation to keep the “stupid people” on the friendly side of the fence from lapsing into a false sense of security and thinking they haven’t been compromised when they actually have.
I place “stupid” in quotes because I am reusing the term, not intending it for the actual meaning it implies.
Your idea is novel but I would recommend emphasizing 3 things a bit more:
- Password security in the first place (good password practices)
- For the article to work two HUGE assumptions are being made:
- The person who has succeeded in logging in is going to find the bait
- This person is going to bite the bait and open the attachment in a browser, which assumes:
- This person thinks the victim is silly enough to have a password list e-mailed to himself with most e-mail traffic is plaintext and insecure in the first place.
- This person is silly enough himself/herself to open an html attachment in a browser as opposed to vi, notepad or your editor of choice as mentioned by Justin. Most e-mail programs don’t deliberately disable the loading of images and external scripts from HTML e-mail for fun.
Like Justin said, this doesn’t seem to be helpful against hackers…
Rather, IMHO, I think this is better suited for catching your roommate/spouse/siblings/parents checking your e-mail rather than expecting to catch a hacker.
I know you say its not meant to be foolproof, Mark, but it still gives false hope… and false hope that your account has not been taken over is the very thing your system is supposed to fix =P.
Looks like the original article was written by Erik Larkin at Network World:
http://www.networkworld.com/news/2007/072607-set-a-hacker-alarm-on.html?zb&rc=sec_services
Or use a embedded counter image on a seperate website as a counter. And save a normal HTML mail without any a attachment that might not be opened. And hope the email gets openend with auto download www images on.
This is pretty lame. You have to check *every single day* just on the offchance that somene has not only hacked your account, but taken the bait. That’s a lot of negatives, and probably some false negatives. It seems to rely on someone being smart enough to figure out your password, but dumb enough to think that your “passwordlist” is going to be stored on some external site with no password. Uh…
I can think of security measures that would work (eg, an innocuous looking image or something that you must click within 5 seconds of logging in or trigger a password-changing alert), but they’d have to be built into the email software.
Steve
This would never work.
A savvy techie would open an unknown html doc in a
text editor first.
It’s a nice and elegant method, but as mentioned above has holes and weeknesses.
I think it just supports the point that if your email box is at all sensitive (passwords, accounts, etc) you should be changing your password once a month at the very least.
Ben
Another thing you can do, especially if you are using Gmail is go into the .txt file, search for “fraud click” and change it to something else (because in the gmail message and if you open the html file in gmail it shows the alt text and link text in the message summary. (there are two instances of “fraud click” in the script.
This is all ultimately worthless. The real issue; if your email service is compromised comes down to good old user-prevention. Create strong passwords, change modestly strong passwords (less than 7 characters,) regularly. Do not save passwords in your browser, text files, or on post it notes under your mouse pad!
Scan regularly, keep your computer tidy — fundamental elements that should all be followed prior to even feeling safe on a computer. Prevention is key to successfully maintaining your identity, online or off-line.
Stay ahead; be proactive!
Sometimes I get into my ex-girlfriend´s mail account to read her emails, I didn’t hack it, I have always known the password because I created the account and she never thought to change the password even after our breakup.
I read it then I always mark the email as unread.
Yeah I´m a bastard but I cant get over her.
http://www.spymac.com/details/?2146727
Although I haven’t personally used this service, there are only two “effective” ways to count a hit on an email. The first is if a small image, usually a 1×1 pixel image, is embedded in the page and is hosted by the counter service website OR for there to be a script that is fired off when the page is opened…again, hosted from the counter service website. The trouble is that most email browsers have a “click here to download images”. Only if the user grants permissions to download images will anything besides cleartext be displayed, rendering the hit-counter inoperable. A smart hacker would not likely click to download images. But you’re roommate - you’d probably catch them without much trouble
For GMail users it would be better to embed the counter HTML/image or whatever, directly into an e-mail so it is opened when the e-mail is viewed. GMail users will have to click “Always Display Images for xxx@xxx.com” to ensure that it will be accessed. People with their own domains can set up their own snazzy traps, to avoid using third-party stuff. For example Apache with MultiViews enabled in the .htaccess will allow such a thing as tracker.gif.php that will be accessible as tracker.gif, when accessed you could write the data to a log file, or send an e-mail to your phone. Snazzy indeed.
I’m gonna go make my own right this second.
Greate idea.
I’ve just try it out. Hope nobody have stole my gmail account. It’s terrible.
[...] (via makeuseof.com) [...]
[...] Recently one of my friends got his mail box hacked and i know the pain! So just check out the preventive steps on being safe. Always prevention is better than cure! Posted under Tips n Tactics [...]
PC World had something on this a while ago; I subscribe to it.
great! i just did this.
if the hacker blocks his pc’s outbound connection to http://www.onestatfree.com?
haha, very nice trap!
This is exactly the one security feature I wish google had (but my idea was slightly different)…
Knowing a lot about web security vulnerabilities this has always made me very leary about using email anywhere but my own home and even then a bit worried someone could attempt to hack or crack into my account.
My idea for Google email which I DID recommend to them is that they simply put a last login time or last accessed time. Simple yet very effective but until then this method will have to do and is a great idea. Only one downside about my method is that if a Google employee were to log into your email account and snoop around they could simply reset the last login time back. So in a way this is more secure against Google but then again Google could simply download your email as a text only file and circumvent the HTML from being loaded
Why doesn’t gmail just show the IP/ISP and time of the last login. If it’s not your IP or at the wrong time you’ve been hacked. Some linux distros already show this info when you login via terminal.
The only way round this is for the hacker to access the account from your connection at the same time you do. Not many hackers will go to these lengths.
I will try these suggestions. Thanks for this.
How about being a little alert so that your account don’t get hacked in the first place?
.
If you account is hacked, 99% of the time you are fault.
Nice tip =)
I’ll have to try this one.
[...] Source [Make use of] [...]
@Dave
My online bank account does the same. It shows the last time you logged in and the IP address.
I have submitted feedback to Gmail through their Help > Feedback. If everyone reading this, does the same, Gmail should pick it up soon I hope.
A friend of my wife had the same problem with an ex-lover stalking here. He had placed a key logger program. That friend is blond, so she didn’t know how to remove it
This guy went quite crazy, even stalking here father etc.
Would never work if the guy has half a brain… Why would you execute a file called passwords.htm? No one stores their passwords in an HTML file, if you’re that new where your passwords are stored in a single file; you probably don’t know how to create an HTML file.
The best way to protect your email account is good and simple; change the password often, and check your settings… make sure no one setup all your messages to be forwarded somewhere else.
How is that an electronic tripwire?
For starters, the indicated method doesn’t tell you IF your email account has been hacked UNLESS this honeypot-sounding file accessed online; a dedicated cracker (not hacker) would surely download it to desktop/ inspect first offline. Clearly, it assumes that all crackers are utter morons, unable to see through such gee-advanced plot, such as this one of yours.
There are social engineering and technological methods to detect mail intrusion without giving the game away, but nowhere near this simplistic, and this is not the forum to disclose them, thus educating wannabe-crackers.
I store my password on PassPack. It is a great solution, in my opinion. I love 1click auto-login
Will this trick tell me if FISA is reading my mail?
Here are two freeware programs that can also protect your email and all your passwords.
PointCrypt can be used to quickly encrypt any emails you send between other people you know. You only have to make two clicks to encrypt and decrypt the email contents. Strong BlowFish 64 encryption.
http://shareware.pcmag.com/product.php%5Bid%5D91868%5Bcid%5D253%5BSiteID%5Dpcmag
Screen Saver Override has several features within, one allows for you to type in a simple password that you can always remember, then highlight it, and then press a function key (F8, etc). The password will be converted to a complex string from 8 to 32 characters long (you choose the length). This hard password then replaces the simple password where upon you can simply hit enter.
http://shareware.pcmag.com/product.php%5Bid%5D91932%5BSiteID%5Dpcmag
Also can search: Gulf Coastal Software
at: http://www.simtel.net
[...] Are you Sure your Email isn’t being Hacked? | MakeUseOf.com (tags: security hacks email howto internet gmail hack hacking **) [...]
http://www.gnupg.org
If your going to use any e-mail program… encrypt everything.
Especially if your going to use a “free” e-mail such as google’s gmail.
These people think they can snoop your mail and create a database on even the mundane contents.
They do this for marketing profits and to try to “make you a better webuser/consumer”. Their aim is to change how you use the web and what you see and find easily.
I say encrypt everything! Today no one should be communicating without using free public key encryption!
[...] Fonte: MakeUseOf [...]
A far superior method is to use http://linkblip.com/
Free, automatic email notification.
Hide the linkblip url using another url shortening service eg. snurl.com if you want.
http://wantadance.blogspot.com
[...] Fonte: MakeUseOf [...]
[...] Trick: Wie man mit einem Online-Counter herausfindet, ob der eigene E-Mail-Account gehackt [...]
hello, nice blog u got here……really interesting softwares and stuff
could you tell me the code of those big digg and twit,etc buttons at the end of ur every post….i mean its really cool….please can u tell me…pretty please….
The Twitter one is from http://www.twitthis.com . The Digg one is from the Digg tools page - http://digg.com/tools/integrate . I’m not sure about the others. I will ask Aibek and get back to you.
[...] Are you Sure your Email isn’t being Hacked? | MakeUseOf.com (tags: HowTo Privacy Security Tech) [...]
[...] Are you Sure your Email isn’t being Hacked? | MakeUseOf.com (tags: security email hacks howto internet gmail hack hacking) [...]
this will not work unless the guy reading your mail is a dumb-ass….
real identity thiefs don’t use ms-crapware and won’t let you get a hint from where they logged in, and if they do, they are using proxies or anonymizers…
kind regards,
mrjack
[...] Filed under: IT Helpdesk — o m i e @ 9:48 am Tags: email security Is somebody hacking your email account without even you knowing it? Read how you might be able to detect this invisible [...]
[...] Are you Sure your Email isn’t being Hacked? | MakeUseOf.com (tags: email hack privacy tools test) von del.icio.us | del.icio.us | trackback | rss feed [...]
[...] but if you’re still not feeling safe, this is a decent trick for finding out for sure. Are you Sure your Email isn’t being Hacked? [...]
[...] { February 23, 2008 @ 6:19 am } · { HackinTenz } { Tags: Software Update } 1. Monitor you Email - If it been hack or Not? This webpage allow you to specs and monitor you accessing email which what you can see incoming or outgoing email happen in the server. You also can log the access system which monitor the log file of access to the email account. I try this and it seems good to look sometimes on your email. Click Here [...]
[...] read more | digg story [...]
[...] “Are you Sure your Email isn’t being hacked?” outlines a clever ploy for trapping anyone who is covertly spying on your e-mail. The article lays out the details of e-mailing a hit counter to yourself disguised as something enticing, such as a list of passwords. If someone reads this booby-trapped e-mail, the hit counter records the date, time, location, IP address, referrer, and ISP. [...]
est il availible en Francais, my English not good
[...] as private and important as their email have become compromised. MakeUseOf has created a guide to making digital ‘tripwires’ so you’ll know if you have been [...]
[...] as private and important as their email have become compromised. MakeUseOf has created a guide to making digital ‘tripwires’ so you’ll know if you have been [...]
February 14th, 2006 at 9: 53 am Feedblitz seemed to be the best I could find (feedburner integration is a bonus). With the paid version I don’ t get the heavy orange branding Mike speaks of, but I’ ve always wanted more in relation to the frequency. I want a console that allows me to do scheduling. More importantly, I want to check off which articles to include in the mailout. Email fatigue sets in quickly and blasting off every single post is a sure fire way to keep your churn rate high. The other question…
I dont believe on email hacking…! unless you give your password to somebody…
I dont normally keep important stuff in my email. email hacking seems to be a common thing now a days. you see million of sites being flooded on forums they claim to get a password for 100 usd..i wonder if it is true…Hami i never used to believe in email hacking until it happened to my girl friend.
A guy hacked into her account and sent people nasty emails.
Its sad…
[...] as private and important as their email have become compromised. MakeUseOf has created a guide to making digital ‘tripwires’ so you’ll know if you have been [...]
[...] Auto-inviarsi una nuova mail allegando il file appena modificato e mettendo come oggetto List of Passwords. Ed ecco fatto il trappolone per scoprire se qualcuno accede senza permesso alla nostra casella di posta elettronica! Da adesso in poi, basterà andare a controllare di tanto in tanto le statistiche di OneStatFree e verificare che nessuno sia andato a scartabellare nella nostra finta lista di password personali. Nel malaugurato caso in cui si constatasse un accesso abusivo alla casella di posta, la migliore soluzione potrebbe essere quella di cambiare password ed appuntarsi i dati forniti da OneStatFree (IP, paese ecc.) per effettuare poi una denuncia alla polizia postale. Fonte: MakeUseOf [...]
Can someone tell me why the big three (yahoo, hotmail, gmail) just dont time-stamp when the last time your account was accessed!!!!???
easy.. lets say you didnt log in yesterday.. and the timestamp says someone accessedyour account…
at least you could change your passwords on all your accounts if you were ever breached.
common IT !!! get with the program !
haha thats very true… why such big compnies dont have a time stamp… that defnitly wil help!