Thursday, May 03, 2007

How to check if your WebMail account has been hacked

WebMail accounts are a popular target for malicious hackers, law enforcement conducting investigations, and rouge insiders. WebMail security is very important, perhaps even more so than your online bank account. If your WebMail is hacked, every web-account associated to that address (using send-an-email-forgot-password-system) could be compromised, including your bank. Phishing scams, password brute-force attacks, cross-site scripting exploits, and insufficient authorization vulnerabilities are all commonplace. And for the most part these attempts are impossible for normal users to detect or do anything about. The problem is that unless your password changed without our knowledge, how can you tell if your account has been compromised? Fortunately there is a fairly simple way.

Normally when someone compromises a WebMail account they’ll pilfer through all your messages and save anything they’re interested in keeping. Unless the intruder is really dumb, and sometimes they are, they’ll change all the messages back to unread (bold) so you won’t notice their presence. What you can do ahead of time is set a kind of a virtual silent alarm on your account. Here’s how:

1) Upload a tiny image somewhere online where you can see the logs of who accesses it. There are a lot of places that offer web space, could come with your DSL provider, or a friend that might have some to share. Once uploaded, NEVER share out the URL to the image. Hide is well because no one should ever find it online by accident.

2) Send your WebMail account an email, containing the silent alarm image, with a juicy sounding subject line like “Your new online Bank password”, “Re: employee personnel files”, or “That’s it, we’re through!!!”. Anything an intruder wouldn’t be able to resist reading. Leave the email as unread in your inbox. This is your silent alarm email.

3) Hopefully this day will never come, but if an intruder were to ever break into your account and read your silent alarm email, they’re browser will unknowingly request the embedded image. By periodically checking the image logs, if it ever has activity, you’ll know something is up. The web server logs will contain the intruders IP address as well as the date/time of when they broken in and read the message.

Simple. This same process can also be used to protect your MySpace account through the messaging system. Enjoy!

35 comments:

Anonymous said...

or change your password regularly dumbass. what a waste of time this is

Jeremiah Grossman said...

perhaps your unaware that there are vulnerabilities in websites or that customer service reps can jump into your account anytime they want despite you regularly changing your password.

Will Stranathan said...

B-b-but I have my webmail account set up so that it doesn't download images because I don't want that "protection" to work against me - spammers use unique URL's to their images to validate email addresses. Even if they don't phish you, they know the email address is good because you requested an image that nobody else uses.

So I'd have to configure my webmail account to "always download images from suchandsuch". But you can see that configuration setting before you go look at the mail.

Jeremiah Grossman said...

Hmm thats interesting, I hadn't thought about that form of protection. I wonder if that could be bypassed though another form of passive HTML requests. Using a SRC attribute of another supported HTML tag. Something has to leak data.

Ambush Commander said...

Actually, most webmail providers have been pretty good at "locking down" emails, preventing these external requests from happening.

Hmm... what they should do islet you see webmail login logs: IP address, time, etc (sorta like how SSH tells you when your last visit was).

Mark IJbema said...

Actually you don't want webmail to be able to do this, because that would enable the webmail account as csrf starting point, and you definitely don't want that.

What you could always do though is doing the same, but instead of using an image including a very interesting link or something ( http://example.org/passwords.txt ).

Anonymous said...

Can also be used to check whether Echelon is still active : http://www.computerbytesman.com/privacy/emailsnooping.htm

Anonymous said...

Cool. But useful only when you are reading emails with browsers. If you use pop3, you download everything. I don't remember that you could specify which email not to pull down.

Christian Matthies said...

I think thats a pretty good idea Jeremiah.

Notice: When you're able to upload images on a WebMail server (e.g. as a e-mail attachment) it might be vulnerable to XSS, at least for IE users due to IE Mime Type Detection. Thats off-topic but interesting though.

Anonymous said...

I've actually come across a need for this recently. I recently sold a business, and the new owner allowed me to continue using my email address from his domain. It was a forwarding address that simply relayed email from his domain to my gmail account. Well this guy apparently has added one of his own email accounts to this forwarding list, so he is essentially bcc:ing himself on every email I get at this address. (I discovered this when an email to myself bounced because his mailbox was full.)

To see if he was actually reading my emails, I was planning to send myself an email with fake login credentials to a site that I control to see if he clicks the link and (worse) tries to log in. This would avoid the problem with email clients that don't load remote images, but would require him to click on a link within the email. I'm pretty sure I can entice him to click it. :)

Anonymous said...

Yeah , that's interesting ... but viewing refer in the web logs is much interesting ;-) ... something like this :

your_host - - [21/Apr/2007:23:48:07 +0200] "GET /your_image HTTP/1.1" 200 2956 "http://your_web_mail_site/your_mailbox" "Opera/9.20 (X11; Linux i686; U; en-US)"

Unknown said...

In addition if you use Hotmail or Yahoo from a WLAN (airport lounge or coffee shop) - everyone there will be able to read your unencrypted email.

See:
http://www.interall.co.il/hotmail-yahoo-https.html
for details

RaviC said...

Jeremiah:
I love this simple and elegant tip. Thanks for sharing dude.

Augusto Barros said...

In the past I've used something similar to track owners of password stealing trojans that send the results to webmail accounts.

As Sylvan mentioned, almost all webmail systems today avoid accessing remote information unless you allow it. This technique (web bug or honeytoken) has been used by spammers to validate their address list for a long time.

Anonymous said...

They stole my passwords though.

Jeremiah Grossman said...

Does that mean they changed it to?

Anonymous said...

Could you please show me how to get the code and set it up in an email too? Im afraid I got hacked but dont know how to check. I use Yahoo mail.

Jeremiah Grossman said...

See if this helps you...

http://jeremiahgrossman.blogspot.com/2007/07/how-to-check-if-your-webmail-account.html

Anonymous said...

Hi Jeremiah, good morning, can you tell me how can I check online to see if another person is login online using my account?? when I am logged out already??

I think someone knew my hotmail acct password.

So If I logged out the hotmail acct, how can i check to see if someone else logged in to check my acct...I remember a friend told me once that I can check it remotely to see if the the hotmail acct is opened (ie...someone else logged in using my password) without me logging in.

Thank you so very much, this means a lot to me.

Anonymous said...

please, if you can, help me!
i have a yahoo account and i changed my password but it said i couldn't change it. so i tried logging in but no matter what password i tried it wouldn't let me change it. i tried to get it sent to my alternate account but it said that it didn't exist. if you can help please send me an email at tigerlilliecht@hotmail.com

Anonymous said...

Thanks Jeremiah--this is helpful. Would you know what it means when you receive an email from nobody--the name slot is blank with a 0 byte message? Could that be an indication of someone messing around in your account? It's a roadrunner account.

Jeremiah Grossman said...

No idea. My guess it that its just looking for bounces and validating addresses. Could be anything though.

Anonymous said...

Hi Jeremiah,
Thanks for sharing your post.
I have a gmail account and suspect that someone had been hacking into it. The thing is I've changed my password a few times since and feel that they are not able to access it any longer. Question: Is there any way that I can find out if my messages/contacts/chats/web history have been downloaded or accessed if it was in the past 6 months? Are there any clues that I can look for? I've looked through my settings and can't seem to find anything that might help me answer my question. For example, are downloaded items identifiably marked as downloaded etc...
Thanks so much!!

Anonymous said...

Hi Jeremiah,
Thanks for sharing your post.
I have a gmail account and suspect that someone had been hacking into it. The thing is I've changed my password a few times since and feel that they are not able to access it any longer. Question: Is there any way that I can find out if my messages/contacts/chats/web history have been downloaded or accessed if it was in the past 6 months? Are there any clues that I can look for? I've looked through my settings and can't seem to find anything that might help me answer my question. For example, are downloaded items identifiably marked as downloaded etc...
Thanks so much!!

Jeremiah Grossman said...

Unfortunately probably cannot go backwards and check, but going forward you probably can. I'd set up a could of juicy looking fake contact email address that no one is ever supposed to use. If the account gets an email of some kind, then you know someone has access to your account.

Anonymous said...

Thanks for your reply Jeremiah.
I found this linke (http://lifehacker.com/software/gmail/how-to-re+download-recent-gmail-messages-251365.php) that states "You've already downloaded your Gmail messages via POP, but now you want them again in another client. Gmail will have marked those messages as downloaded already, but to re-download them, use this neat trick, spotted in the Gmail help list..." Do you know what is being referred to regarding the already downloaded "marked" messages? Thanks!

Anonymous said...

Hi Jeremiah,
It's the same user as above. I forgot to mention one other thing. The thing that originally made me suspicious was that one of my contact names had been changed. Surprisingly it had been changed to the same exact name that a mutual friend has this particular contact listed as. Does that sound like a familiar gmail bug to you? I don't suspect this potential hacker is trying to get financial info or anything like that. If it indeed happen, I would think that it's more a personal thing if you catch my drift.
Thanks again!

Elisa said...

Jeramiah,

Please walk me through step one of your suggestion. How do I upload a picture and to what website? how will there be a log of who sees it?

Anonymous said...

Hi Jeremiah, I haven't seen any posts on this subject here lately, but I do hope this discussion is still "alive".
I need to ask, is there ANY way of knowing if someone hacked into my hotmail account IN THE PAST and looked into my READ mails, if they didn't change my password?
I am pretty sure the answer will be no, but my privacy is valuable so I'll give a try anyway.
I thank you in advance for taking the time to help with this.
Yours, Marie

JHF said...

Hi jeremiah,
Want to ask you that if i had forgotten to log out my hotmail on other ppl computer, how can i check whether my mails is being forwarded if someone had delete the sent after forwarded? thanx

Anonymous said...

Sorry Jeremiah if this has already been asked. I am concerned that someone may have opened my Yahoo email inbox, i.e.law enforcement as you note, and wonder if there is any way of knowing. If I have ever oped the account in question it has only beenonce. Is there a counter somewher or would Yahoo keep track of this so they would know the number of times an inbox has been opened?

k.firth said...

i think my boyfriend has taggeted or flagged some emails, how can i tell . please

k.firth said...

how can i tell if my boy friend has targeted any emails

k.firth said...

please disregard my last post i have since found the answer

k.firth said...

dumb ass was a bit harsh, i am a newby. not all of us r up to date. anonymouse. he is only tagging certain ones. all i wanted to know was how to tell if he is or not. all you did was call me names. and go on about some crs code what ever that is. cant change pass word that wont help, he tagged them coming in .