Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Much Is Your Gmail Account Worth To Crooks?

Posted by Soulskill on from the single-point-of-failure dept.

tsu doh nimh writes "If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new OAuth service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground. From KrebsOnSecurity: 'The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeperâ(TM)s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure thatâ(TM)s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.'" A recent report from Kaspersky (PDF) also highlighted the trend toward phishing attepts targeting Facebook, Google, and Yahoo accounts alongside bank accounts.

80 comments

  1. Wait just a second by Russ1642 · · Score: 5, Insightful

    "You're at risk!!! Download this scanning tool now to determine your chances of getting pwned." Where have I seen this kind of language before?

    1. Re:Wait just a second by Dunbal · · Score: 0

      Yeah surprise surprise, scaremongering from a company that sells alleged "security".

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Wait just a second by maliqua · · Score: 5, Funny

      the university of Illinois computer science department...?

    3. Re:Wait just a second by houghi · · Score: 4, Funny

      And not just downloading. You need to give them temporary access. I will do that right after securing my Visa Card.
      On their site they call it "Temporary Limited Access" and that is exactly what I tell the ladies. Nothing can happen, although one is a slightly pregnant right now, but that is also just temporary.

      --
      Don't fight for your country, if your country does not fight for you.
    4. Re:Wait just a second by Anonymous Coward · · Score: 5, Funny

      the university of Illinois computer science department...?

      Well known scammers:

      Dear Friend I am Professor Joseph Otumba of the university of Illinois computer science department and I wish to speak to you on the most urgent matter of your gmail account....

    5. Re:Wait just a second by Technician · · Score: 1, Interesting

      I have an account set up just to troll scammers. I reply for all my Lottery Winnings, Inheritance, Money Transfer, etc. It's linked to all my fake banks accounts. I'm tempted to let them have temporary access to see what happens.. LOL. It has no connection to any RL account, but lots of links to security company accounts where they are holding several sets of Metal Trunk Boxes..

      --
      The truth shall set you free!
    6. Re:Wait just a second by Common+Joe · · Score: 1

      Pfff... Yeah, I know. Like I'd fall for that.

      Besides, if I really wanted to get a thorough analysis of my gmail account, I'd just post my username and password to Ask Slashdot. At least then, I know my personal information would be abused by professionals.

    7. Re:Wait just a second by cant_get_a_good_nick · · Score: 1

      Jokes aside, UIC has a pretty good computer graphics department. Dr DeFanti helped the design the computer graphics model for Star Wars. The Death Star graphics? Yeah, that was him. He also helped develop the CAVE, one of the first immersive virtual reality environments.

  2. Great Idea!! by canadiannomad · · Score: 4, Insightful

    Now just let me hand over the keys to all my private mail to someone who will quickly be able to deduce how much it is worth.... /sarcasm>

    --
    Hmm, the humour and sarcasm seem to have been be lost on you.
    1. Re:Great Idea!! by Anonymous Coward · · Score: 0

      Damn, someone beat me to it:

      "Someone already has that username. Try another?"

  3. Zero by Anonymous Coward · · Score: 0

    I don't have one.

    1. Re:Zero by Shados · · Score: 1

      Do you manage all your accounts individually, or are they forwards? If the later, someone would only need the master account to reset passwords all over the place. Of course, a lot of more critical sites won't let you reset passwords that easily, but many do, and unless you're living in a vacuum, you probably have accounts on those too.

    2. Re:Zero by magic+maverick+ · · Score: 0

      Yeah, they all forward to my main account. But my main account is on a different domain, and so is not immediately obvious (one reason to having throw away accounts, and not solved by all the fanbois going, "but you just go isuckgooglescock+slashdot.org@gmail.com", which easily gets isuckgooglescock@gmail.com).

      And, in reality, I suspect there are a maximum of five (a quick count gives three, I may have missed one or two) 'accounts' that have been given a disposable address that would matter (i.e. I might loose some money or something else of value) if someone else had control over the address. There are another four or so that matter at the moment (related to some travel I'm going to be taking), but won't in a few months time.

      That's out of the more than 150 uses I've recorded.

      --
      HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
    3. Re:Zero by commodore73 · · Score: 1

      I do the same thing, but more like company@mypersonaldomain.com. I don't think that most companies sell or give away my email addresses, but they give lists to their MARKETING PARTNERS, which certainly do pass them on, or get hacked. I found this out by checking the to lines in spam and seeing united (airlines) and a CMS vendor. I also saw something from a company mailed to the email address associated with one of its competitors; from talking to people I found that a marketing person left the second and apparently took a contact list to the their new job at the first. It is a very worthwhile thing to do.

    4. Re:Zero by commodore73 · · Score: 1

      What about when you need to send a message, do you create a real email account for the organization then, or use a real account? I tend to use a real existing account when working with real people.

    5. Re:Zero by commodore73 · · Score: 1

      Another issue is that setting up a catchall/default increases spam. I get spam at addresses on my domain that I certainly never used; spammers seem to guess/make them up.

    6. Re:Zero by commodore73 · · Score: 1

      And another benefit - when you find an email address being used for spam, you can disable it, or worse.

    7. Re:Zero by magic+maverick+ · · Score: 1

      SMTP is amazing, you can send an email from any email address. So, if my main email address is magic@maverick.com, and I'm having commercial mail sent to the domain manic.com, I just use the feature of my email client to make the send from address slashdot.org@manic.com (or whatever). And the way it's set up, all the fancy anti-spam measures (DomainKeys or whatever) still work!

      Real people (who aren't working for an org) get my main email address (magic@maverick.com). On forms I write stuff like blahblah@manic.com or noreply@manic.com or even aiirapk2@manic.com. Or whatever. And I can then use those to communicate with people at whichever org it is.

      Cool bananas.

      --
      HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
    8. Re:Zero by Anonymous Coward · · Score: 0

      I don't have one.

      Yep like wise dont got one aint never gunna get one either so like SFA is the value dumb dickshit.

  4. more worried about google using my gmail account by Anonymous Coward · · Score: 1

    Got locked out of that account and they basically want everything related to my identity to get it back (identity theft in order to return my identity) and now what, that's all my personal stuff that Google has access to, and I don't.

  5. So... how much is it worth? by astro128 · · Score: 1

    Sorry its 5pm on the east coast and time to go home so I didn't RTFA - anyone care to just give me the bottom line?

    1. Re:So... how much is it worth? by djsmiley · · Score: 3, Insightful

      please let us have access to all your email and search through it to tel you how much a random person would like to have access to all your email and search through it...

      --
      - http://www.milkme.co.uk
    2. Re:So... how much is it worth? by Anonymous Coward · · Score: 2, Interesting

      anyone care to just give me the bottom line?

      Sure: you're definitely lazy and likely obese.

      You're welcome.

    3. Re:So... how much is it worth? by UltraZelda64 · · Score: 1

      Somewhere between $2.05 and $2.12.

  6. Requires third-party access to your accounts by Anonymous Coward · · Score: 0

    Who's gaining access to your GMail account again?

  7. How much of my data... by MaxDollarCash · · Score: 1

    ...will they be storing to mine?

    1. Re:How much of my data... by game+kid · · Score: 1, Funny

      As much as you gave Facebook for your Slashdot account?

      --
      You can hold down the "B" button for continuous firing.
    2. Re:How much of my data... by MaxDollarCash · · Score: 1

      Nothing you mean :) Fb is fake

  8. People Who Bought... by Anonymous Coward · · Score: 3, Funny

    People who bought "$5,000 offshore banking money transfer" also bought:

    1. Krugerrands
    2. The Complete Book of Money-Laundering
    3. $1,000 Amazon Gift Cards
    4. $4,600 Donation to 2012 Obama for America Campaign
  9. Fed up. by Anonymous Coward · · Score: 0

    I can't wait till everything implodes and all we have to worry about again is how and what we are going to eat.

    1. Re:Fed up. by Anonymous Coward · · Score: 0

      I can't wait till everything implodes and all we have to worry about again is how and what we are going to eat.

      Yes, because wondering where your next meal is going to come from is really so much fun! Everyone in that situation agrees.

  10. Zero by magic+maverick+ · · Score: 1, Insightful

    My Gmail account is not worth anything. Mainly because I never tied it to anything else, and I forgot the password years ago. Whoops. I don't like the Gmail interface, let alone the tied to Google aspect.

    But if you could get a hold of my main email account... Actually, I still have no (or very few) other accounts tied to it. That's 'cause I give every service and website a different email address (slashdot.org.2013.06.26@example.org). So far I haven't discovered anyone specifically having sold or lost my email address, but I'm sure it's a matter of time.

    What's the specifying Gmail for again? This is applicable to any email account isn't it?

    --
    HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
  11. A PSA from your "friends" at CloudSweeper: by CanHasDIY · · Score: 4, Funny

    Hi! We just noticed the word, "SUCKER," printed on your forehead in big bold text, and thought you would be interested in our exciting new offer...

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
    1. Re:A PSA from your "friends" at CloudSweeper: by Anonymous Coward · · Score: 0

      Buy our product or we will email your browser history to your contact list. (blatantly ripped from the dogbert school of entrepreneurship)

    2. Re:A PSA from your "friends" at CloudSweeper: by bill_mcgonigle · · Score: 1

      That's on Soulskill's forehead right about now. Seriously, doing something like this is terrible security advice.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  12. How much? by rvw · · Score: 1

    So I'm moving away from Google and Gmail. Can I sell my own account? And what kind of money can I get for it? Will it buy me a new Macbook at least? Then I might consider it! ;-)

    1. Re:How much? by Anonymous Coward · · Score: 0

      Selling your own account would cost you more money than the sale price, because black-market buyers use the information in your account to steal your identity.

      Think of it like selling your safe full of valuables so you can buy something else.

    2. Re:How much? by Anonymous Coward · · Score: 0

      If I don't give a fuck, or wish to disappear, it can be useful to poison the well.

  13. Turns out my Gmail account is worth by Anonymous Coward · · Score: 1

    10 million "theoretical dollars". Not to mention once the "cyber thieves" are able to "seize" all of my accounts, they could likely use my accounts as a spring board to bigger things. Perhaps even seize control of the nations power grid or the launch codes for our nuclear arsenal. Thank god I didn't click on that email about the package from FedEx I never ordered.

  14. $28.50 by Iniamyen · · Score: 1

    $28.50

  15. $5.30 by EmagGeek · · Score: 1

    Darn. I was hoping my gmail account would make me the next .com billionaire.

  16. A rough appraisal by Russ1642 · · Score: 4, Funny

    About tree fiddy

  17. 30$ by Deflagro · · Score: 1

    I ain't afraid but apparently it's not worth much anyway. If someone tried to steal my identity they'd end up worse off at this point :P

    --
    Der Tod ist der einzige Weg hier raus!
  18. It's already been at risk by ackthpt · · Score: 2

    I have two gmail accounts and both of them are used for registering for websites which may have dubious practices, such as ... um ... /.

    All anyone would gain from them is the ability to steal my password on review or nattering accounts, Comrade!

    For limited time special offer to receive big quantity Order of Putin medals from Glorious People's Republic of Russia! Just you send 100 dollars USA or 3,000 Roubles to:

    PO Box 786990

    Chelyabinsk 211

    Chelyabinsk Ob, Russia

    --

    A feeling of having made the same mistake before: Deja Foobar
  19. Probably quite a lot by neminem · · Score: 1

    Given that I'm sure if you tried enough, you could convince some moron working the phone at any of various financial establishments I have alerts sent from to let you draw money out of my accounts there, even though they shouldn't.

    Other than that, I doubt it'd be worth very much, unless the crook *really* liked Kingdom of Loathing.

    1. Re:Probably quite a lot by hedwards · · Score: 0

      Depends, do you have a hand turkey?

    2. Re:Probably quite a lot by neminem · · Score: 0

      Nope. I do, however, have a rainbow pearl. :p

      (Well, it's not mine, but it is on an account I have the password to.)

    3. Re:Probably quite a lot by hedwards · · Score: 1

      I see somebody with mod points doesn't have a sense of humor.

  20. Thats kind of crazy to me. by Marrow · · Score: 4, Insightful

    Why does amazon ( a serious competitor for Google Play) take it upon themselves to send an email showing the complete details of your transaction. Which Google can then scan and learn about Amazons customers and attempt to drive them to Google Play. It seems like all the web vendors want to give all their customer information to Google. Im sure Google appreciates the efforts on their behalf.
    There should be very little detail in these transaction confirmations. And they should be optional. Or maybe SMS should be an option. But to give your competitor the names of your competition and what they like to purchase is just plain crazy to me.

    1. Re:Thats kind of crazy to me. by Anonymous Coward · · Score: 0

      https://cloudsweeper.cs.uic.edu/privacy
      There's what they claim about the use of it.

    2. Re:Thats kind of crazy to me. by StormyWeather · · Score: 0

      Maybe because their search history engine sucks, and I need to be able to research and search through my amazon transactions using google, or outlook. If they disabled it I would go back to newegg for a lot of my amazon transactions because I like having a textual email reciept for all of my vendor transactions.

    3. Re:Thats kind of crazy to me. by Anonymous Coward · · Score: 3, Insightful

      Nobody's forcing you to use gmail. Get a domain and an email only account with any web host and for about $15/month you can have mailboxes that are very private, and especially ad-free.

    4. Re:Thats kind of crazy to me. by Anonymous Coward · · Score: 0

      whoosh

    5. Re:Thats kind of crazy to me. by BlackPignouf · · Score: 2

      +1

      3 years ago, I registered for a prestigious international conference.
      I didn't notice it at first, but their password field was broken, and pwdhash didn't convert my master password before sending it.
      5 minutes later, I receive a confirmation email from the organisers.
      The password was in clear text in the second line....

  21. but right now nobody knows by shadowrat · · Score: 2, Interesting

    Right now nobody knows how much my account is worth. If i allow this "tool" to scan my account, they create a metric of value where none existed before. I don't know what they do with that information. They probably sell it.

  22. Just ask by Azure+Flash · · Score: 1

    I just asked a crook what my GMail account is worth, he appraised it at at least 5 million US dollars. He charged 40$ for the estimation. It's good to know, now I have a reason to take extra steps to secure my account.

  23. the most important thing by commodore73 · · Score: 1

    Don't use the same password for any two accounts. Second most important: don't use the same email address for any two accounts.

    1. Re:the most important thing by Anonymous Coward · · Score: 0

      Can't you reset any password with just the e-mail? So shouldn't e-mail be the most important?

  24. Re:more worried about google using my gmail accoun by SpeZek · · Score: 2

    That's why you make use of Google's relatively good tools to download all of your data regularly and make backups.

    It's your data. You're the one responsible for it.

  25. Just submitted my gmail account to test as per TFA by vikingpower · · Score: 0

    Result: my account is worth a staggering $ 0.60 to potential thieves ;-)

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  26. Prior art by Anubis+IV · · Score: 2

    http://www.ismytwitterpasswordsecure.com/

    I know it was made to check Twitter passwords, but it turns out that it works surprisingly well here too. In fact, it's smart enough to tell you how secure your passwords and accounts are, even if you enter fake credentials. I kid you not, it is that smart. Try it out.

    1. Re:Prior art by Anonymous Coward · · Score: 0

      I tried that site out and it wouldn't let me enter any data after typing into the username field? Do you know where I can file a bug? Running Google Chrome Version 27.0.1453.116 m on Win7 64bit compiled on an Intel i5.

      Edit: Strange, I just tried it on my VMware Internet Explorer 6 and was able to enter in username/password, hit enter but nothing happened? It's been a while since I took web programming but upon inspecting the source I'm not seeing a form element.. I can't find any contact or support link on that site, since you referred can you let them know?

  27. Two Factor Auth by Anonymous Coward · · Score: 1

    If you're not using this for Gmail you're an idiot, especially if this stuff is tied to your bank.

  28. Billions and Billions of doooolars by Anonymous Coward · · Score: 0

    But I will tell you anything you want to hear for $100 in bitcoin.

  29. Re:more worried about google using my gmail accoun by RCL · · Score: 1

    Does Google have a tool to backup Gmail data? Asking seriously, would like to use one. (I am aware that there are third-party tools and you can also download everything to your mail client yourself).

    --
    Coding etudes
  30. Just ask the NSA by OhSoLaMeow · · Score: 1

    They're already in there, anyway.

    --
    They can take my LifeAlert pendant when they pry it from my cold dead fingers.
  31. The sweeper doesn't count by ub3r+n3u7r4l1st · · Score: 1

    most banks, broker's websites, and battle.net. These accounts worth $hitload more than paypal and amazon.

    --
    New Economic Perspectives
  32. Re:more worried about google using my gmail accoun by hedwards · · Score: 1

    They provide access to the data, what more do you expect them to do? Now, if there were no 3rd party tools available, then I would be worried.

  33. Depends... by Anonymous Coward · · Score: 0

    do they want stupid power point presentations with pron that usually my friends send me?

  34. gmail is free, right? by Anonymous Coward · · Score: 0

    So then how could it be worth anything?

    Seriously though, if I have no price on that account now, then why would I need to know the price that crooks would put on it? It seems a little bit crazy, because if you look at the same idea, but with another "object" (rather than gmail accounts), like, say, your daughter's vagina...

    "How much is your daughter's vagina worth? Drive her over here, let us 'install a temporary tool' in her vagina. We check for bacteria levels, tightness, depth and overall smell/taste, while also checking pupil dilation as we stroke her clitoris. Afterwards, we provide you with a price that a goon would pay to rape her."

    A bit weird, eh?

    my $.02

  35. It's called a "receipt" by sirwired · · Score: 3, Insightful

    So, what exactly is Amazon supposed to do? Most people LIKE getting their transaction details sent to them; it's called a "receipt", and it serves as proof you bought whatever it is you think you bought, should this ever be up for dispute. Most people expect to receive a receipt for every electronic transaction, even if it isn't strictly necessary.

    And the same thing could be said about any commercial e-mail service... nothing stops Mom-n-Pop ISP from mining your e-mail for data (or selling mining access to somebody who can.)

    In any case, Amazon doesn't seem to be too bothered by the prospect...

    If you don't trust GMail e-mail scanning, get your address elsewhere.

    1. Re:It's called a "receipt" by Marrow · · Score: 1

      And yet, that receipt could be in the form of a protected URL to the information. Follow this link if you would like to see/print your receipt. It does not need to include the full text of the transaction.

  36. No Third Party Solution: by Jane+Q.+Public · · Score: 1

    Use Pop3 and keep the server's inbox bare.

    Granted, it's not a 100% solution. But odds are, if thieves scan your inbox and find nothing there, they won't be back.

    Screw this IMAP stuff. It doesn't do anything I need and it leaves you vulnerable to this kind of attack.

  37. I want a "real" copy by sirwired · · Score: 1

    I want a "real" copy in my own e-mail account, and I expect most other people do too. I don't want to have to go through all the hassle to obtain and save my own copy. What happens if your Amazon account is suspended? You'd never see those receipts again if you hadn't already saved a copy.

    1. Re:I want a "real" copy by Anonymous Coward · · Score: 0

      just because you're a fucking idiot, doesn't mean the rest of us should suffer

  38. Re: by Anonymous Coward · · Score: 0

    Seriously, am I the only one who displays the order and does a print screen to PDF immediately after the purchase? Seriously? Is that so hard?

    I have 10+ years of these, still less than 1 GB.