Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Much Is Your Gmail Account Worth To Crooks?

Posted by Soulskill on from the single-point-of-failure dept.

tsu doh nimh writes "If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new OAuth service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground. From KrebsOnSecurity: 'The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeperâ(TM)s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure thatâ(TM)s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.'" A recent report from Kaspersky (PDF) also highlighted the trend toward phishing attepts targeting Facebook, Google, and Yahoo accounts alongside bank accounts.

52 of 80 comments (clear)

  1. Wait just a second by Russ1642 · · Score: 5, Insightful

    "You're at risk!!! Download this scanning tool now to determine your chances of getting pwned." Where have I seen this kind of language before?

    1. Re:Wait just a second by maliqua · · Score: 5, Funny

      the university of Illinois computer science department...?

    2. Re:Wait just a second by houghi · · Score: 4, Funny

      And not just downloading. You need to give them temporary access. I will do that right after securing my Visa Card.
      On their site they call it "Temporary Limited Access" and that is exactly what I tell the ladies. Nothing can happen, although one is a slightly pregnant right now, but that is also just temporary.

      --
      Don't fight for your country, if your country does not fight for you.
    3. Re:Wait just a second by Anonymous Coward · · Score: 5, Funny

      the university of Illinois computer science department...?

      Well known scammers:

      Dear Friend I am Professor Joseph Otumba of the university of Illinois computer science department and I wish to speak to you on the most urgent matter of your gmail account....

    4. Re:Wait just a second by Technician · · Score: 1, Interesting

      I have an account set up just to troll scammers. I reply for all my Lottery Winnings, Inheritance, Money Transfer, etc. It's linked to all my fake banks accounts. I'm tempted to let them have temporary access to see what happens.. LOL. It has no connection to any RL account, but lots of links to security company accounts where they are holding several sets of Metal Trunk Boxes..

      --
      The truth shall set you free!
    5. Re:Wait just a second by Common+Joe · · Score: 1

      Pfff... Yeah, I know. Like I'd fall for that.

      Besides, if I really wanted to get a thorough analysis of my gmail account, I'd just post my username and password to Ask Slashdot. At least then, I know my personal information would be abused by professionals.

    6. Re:Wait just a second by cant_get_a_good_nick · · Score: 1

      Jokes aside, UIC has a pretty good computer graphics department. Dr DeFanti helped the design the computer graphics model for Star Wars. The Death Star graphics? Yeah, that was him. He also helped develop the CAVE, one of the first immersive virtual reality environments.

  2. Great Idea!! by canadiannomad · · Score: 4, Insightful

    Now just let me hand over the keys to all my private mail to someone who will quickly be able to deduce how much it is worth.... /sarcasm>

    --
    Hmm, the humour and sarcasm seem to have been be lost on you.
  3. more worried about google using my gmail account by Anonymous Coward · · Score: 1

    Got locked out of that account and they basically want everything related to my identity to get it back (identity theft in order to return my identity) and now what, that's all my personal stuff that Google has access to, and I don't.

  4. So... how much is it worth? by astro128 · · Score: 1

    Sorry its 5pm on the east coast and time to go home so I didn't RTFA - anyone care to just give me the bottom line?

    1. Re:So... how much is it worth? by djsmiley · · Score: 3, Insightful

      please let us have access to all your email and search through it to tel you how much a random person would like to have access to all your email and search through it...

      --
      - http://www.milkme.co.uk
    2. Re:So... how much is it worth? by Anonymous Coward · · Score: 2, Interesting

      anyone care to just give me the bottom line?

      Sure: you're definitely lazy and likely obese.

      You're welcome.

    3. Re:So... how much is it worth? by UltraZelda64 · · Score: 1

      Somewhere between $2.05 and $2.12.

  5. How much of my data... by MaxDollarCash · · Score: 1

    ...will they be storing to mine?

    1. Re:How much of my data... by game+kid · · Score: 1, Funny

      As much as you gave Facebook for your Slashdot account?

      --
      You can hold down the "B" button for continuous firing.
    2. Re:How much of my data... by MaxDollarCash · · Score: 1

      Nothing you mean :) Fb is fake

  6. People Who Bought... by Anonymous Coward · · Score: 3, Funny

    People who bought "$5,000 offshore banking money transfer" also bought:

    1. Krugerrands
    2. The Complete Book of Money-Laundering
    3. $1,000 Amazon Gift Cards
    4. $4,600 Donation to 2012 Obama for America Campaign
  7. Zero by magic+maverick+ · · Score: 1, Insightful

    My Gmail account is not worth anything. Mainly because I never tied it to anything else, and I forgot the password years ago. Whoops. I don't like the Gmail interface, let alone the tied to Google aspect.

    But if you could get a hold of my main email account... Actually, I still have no (or very few) other accounts tied to it. That's 'cause I give every service and website a different email address (slashdot.org.2013.06.26@example.org). So far I haven't discovered anyone specifically having sold or lost my email address, but I'm sure it's a matter of time.

    What's the specifying Gmail for again? This is applicable to any email account isn't it?

    --
    HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
  8. A PSA from your "friends" at CloudSweeper: by CanHasDIY · · Score: 4, Funny

    Hi! We just noticed the word, "SUCKER," printed on your forehead in big bold text, and thought you would be interested in our exciting new offer...

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
    1. Re:A PSA from your "friends" at CloudSweeper: by bill_mcgonigle · · Score: 1

      That's on Soulskill's forehead right about now. Seriously, doing something like this is terrible security advice.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  9. How much? by rvw · · Score: 1

    So I'm moving away from Google and Gmail. Can I sell my own account? And what kind of money can I get for it? Will it buy me a new Macbook at least? Then I might consider it! ;-)

  10. Turns out my Gmail account is worth by Anonymous Coward · · Score: 1

    10 million "theoretical dollars". Not to mention once the "cyber thieves" are able to "seize" all of my accounts, they could likely use my accounts as a spring board to bigger things. Perhaps even seize control of the nations power grid or the launch codes for our nuclear arsenal. Thank god I didn't click on that email about the package from FedEx I never ordered.

  11. $28.50 by Iniamyen · · Score: 1

    $28.50

  12. $5.30 by EmagGeek · · Score: 1

    Darn. I was hoping my gmail account would make me the next .com billionaire.

  13. Re:Zero by Shados · · Score: 1

    Do you manage all your accounts individually, or are they forwards? If the later, someone would only need the master account to reset passwords all over the place. Of course, a lot of more critical sites won't let you reset passwords that easily, but many do, and unless you're living in a vacuum, you probably have accounts on those too.

  14. A rough appraisal by Russ1642 · · Score: 4, Funny

    About tree fiddy

  15. 30$ by Deflagro · · Score: 1

    I ain't afraid but apparently it's not worth much anyway. If someone tried to steal my identity they'd end up worse off at this point :P

    --
    Der Tod ist der einzige Weg hier raus!
  16. It's already been at risk by ackthpt · · Score: 2

    I have two gmail accounts and both of them are used for registering for websites which may have dubious practices, such as ... um ... /.

    All anyone would gain from them is the ability to steal my password on review or nattering accounts, Comrade!

    For limited time special offer to receive big quantity Order of Putin medals from Glorious People's Republic of Russia! Just you send 100 dollars USA or 3,000 Roubles to:

    PO Box 786990

    Chelyabinsk 211

    Chelyabinsk Ob, Russia

    --

    A feeling of having made the same mistake before: Deja Foobar
  17. Probably quite a lot by neminem · · Score: 1

    Given that I'm sure if you tried enough, you could convince some moron working the phone at any of various financial establishments I have alerts sent from to let you draw money out of my accounts there, even though they shouldn't.

    Other than that, I doubt it'd be worth very much, unless the crook *really* liked Kingdom of Loathing.

    1. Re:Probably quite a lot by hedwards · · Score: 1

      I see somebody with mod points doesn't have a sense of humor.

  18. Thats kind of crazy to me. by Marrow · · Score: 4, Insightful

    Why does amazon ( a serious competitor for Google Play) take it upon themselves to send an email showing the complete details of your transaction. Which Google can then scan and learn about Amazons customers and attempt to drive them to Google Play. It seems like all the web vendors want to give all their customer information to Google. Im sure Google appreciates the efforts on their behalf.
    There should be very little detail in these transaction confirmations. And they should be optional. Or maybe SMS should be an option. But to give your competitor the names of your competition and what they like to purchase is just plain crazy to me.

    1. Re:Thats kind of crazy to me. by Anonymous Coward · · Score: 3, Insightful

      Nobody's forcing you to use gmail. Get a domain and an email only account with any web host and for about $15/month you can have mailboxes that are very private, and especially ad-free.

    2. Re:Thats kind of crazy to me. by BlackPignouf · · Score: 2

      +1

      3 years ago, I registered for a prestigious international conference.
      I didn't notice it at first, but their password field was broken, and pwdhash didn't convert my master password before sending it.
      5 minutes later, I receive a confirmation email from the organisers.
      The password was in clear text in the second line....

  19. but right now nobody knows by shadowrat · · Score: 2, Interesting

    Right now nobody knows how much my account is worth. If i allow this "tool" to scan my account, they create a metric of value where none existed before. I don't know what they do with that information. They probably sell it.

  20. Re:Zero by commodore73 · · Score: 1

    I do the same thing, but more like company@mypersonaldomain.com. I don't think that most companies sell or give away my email addresses, but they give lists to their MARKETING PARTNERS, which certainly do pass them on, or get hacked. I found this out by checking the to lines in spam and seeing united (airlines) and a CMS vendor. I also saw something from a company mailed to the email address associated with one of its competitors; from talking to people I found that a marketing person left the second and apparently took a contact list to the their new job at the first. It is a very worthwhile thing to do.

  21. Just ask by Azure+Flash · · Score: 1

    I just asked a crook what my GMail account is worth, he appraised it at at least 5 million US dollars. He charged 40$ for the estimation. It's good to know, now I have a reason to take extra steps to secure my account.

  22. Re:Zero by commodore73 · · Score: 1

    What about when you need to send a message, do you create a real email account for the organization then, or use a real account? I tend to use a real existing account when working with real people.

  23. the most important thing by commodore73 · · Score: 1

    Don't use the same password for any two accounts. Second most important: don't use the same email address for any two accounts.

  24. Re:Zero by commodore73 · · Score: 1

    Another issue is that setting up a catchall/default increases spam. I get spam at addresses on my domain that I certainly never used; spammers seem to guess/make them up.

  25. Re:Zero by commodore73 · · Score: 1

    And another benefit - when you find an email address being used for spam, you can disable it, or worse.

  26. Re:more worried about google using my gmail accoun by SpeZek · · Score: 2

    That's why you make use of Google's relatively good tools to download all of your data regularly and make backups.

    It's your data. You're the one responsible for it.

  27. Prior art by Anubis+IV · · Score: 2

    http://www.ismytwitterpasswordsecure.com/

    I know it was made to check Twitter passwords, but it turns out that it works surprisingly well here too. In fact, it's smart enough to tell you how secure your passwords and accounts are, even if you enter fake credentials. I kid you not, it is that smart. Try it out.

  28. Two Factor Auth by Anonymous Coward · · Score: 1

    If you're not using this for Gmail you're an idiot, especially if this stuff is tied to your bank.

  29. Re:Zero by magic+maverick+ · · Score: 1

    SMTP is amazing, you can send an email from any email address. So, if my main email address is magic@maverick.com, and I'm having commercial mail sent to the domain manic.com, I just use the feature of my email client to make the send from address slashdot.org@manic.com (or whatever). And the way it's set up, all the fancy anti-spam measures (DomainKeys or whatever) still work!

    Real people (who aren't working for an org) get my main email address (magic@maverick.com). On forms I write stuff like blahblah@manic.com or noreply@manic.com or even aiirapk2@manic.com. Or whatever. And I can then use those to communicate with people at whichever org it is.

    Cool bananas.

    --
    HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
  30. Re:more worried about google using my gmail accoun by RCL · · Score: 1

    Does Google have a tool to backup Gmail data? Asking seriously, would like to use one. (I am aware that there are third-party tools and you can also download everything to your mail client yourself).

    --
    Coding etudes
  31. Just ask the NSA by OhSoLaMeow · · Score: 1

    They're already in there, anyway.

    --
    They can take my LifeAlert pendant when they pry it from my cold dead fingers.
  32. The sweeper doesn't count by ub3r+n3u7r4l1st · · Score: 1

    most banks, broker's websites, and battle.net. These accounts worth $hitload more than paypal and amazon.

    --
    New Economic Perspectives
  33. Re:more worried about google using my gmail accoun by hedwards · · Score: 1

    They provide access to the data, what more do you expect them to do? Now, if there were no 3rd party tools available, then I would be worried.

  34. It's called a "receipt" by sirwired · · Score: 3, Insightful

    So, what exactly is Amazon supposed to do? Most people LIKE getting their transaction details sent to them; it's called a "receipt", and it serves as proof you bought whatever it is you think you bought, should this ever be up for dispute. Most people expect to receive a receipt for every electronic transaction, even if it isn't strictly necessary.

    And the same thing could be said about any commercial e-mail service... nothing stops Mom-n-Pop ISP from mining your e-mail for data (or selling mining access to somebody who can.)

    In any case, Amazon doesn't seem to be too bothered by the prospect...

    If you don't trust GMail e-mail scanning, get your address elsewhere.

    1. Re:It's called a "receipt" by Marrow · · Score: 1

      And yet, that receipt could be in the form of a protected URL to the information. Follow this link if you would like to see/print your receipt. It does not need to include the full text of the transaction.

  35. No Third Party Solution: by Jane+Q.+Public · · Score: 1

    Use Pop3 and keep the server's inbox bare.

    Granted, it's not a 100% solution. But odds are, if thieves scan your inbox and find nothing there, they won't be back.

    Screw this IMAP stuff. It doesn't do anything I need and it leaves you vulnerable to this kind of attack.

  36. I want a "real" copy by sirwired · · Score: 1

    I want a "real" copy in my own e-mail account, and I expect most other people do too. I don't want to have to go through all the hassle to obtain and save my own copy. What happens if your Amazon account is suspended? You'd never see those receipts again if you hadn't already saved a copy.