Cloudsweeper Project Estimates Your Inbox's Worth to Criminals
The Cloudsweeper project, which looks for passwords and other info in your inbox, can take a Gmail account and put a price on it, but the research aims to go deeper.People who have ever wondered why online criminals would want to gain access to their email accounts now have a way to find out: Two researchers at the University of Illinois at Chicago have created an online service that checks a person's Gmail account for sensitive information, offers to encrypt the information and then estimates how much access to the account would be worth on the black market. The service, called Cloudsweeper, sifts through a person's inbox looking for password-reset or account-recovery emails as well as other sensitive account information. If it finds clear-text passwords, the service will offer to encrypt them. Then, the service will use current prices found on black-hat forums to put a price on the user's inbox. Most people do not consider how much they rely on a single email address for the security of their other accounts, Peter Snyder, a Ph.D. student in computer science at the University of Illinois at Chicago and the primary lead on the Cloudsweeper project, told eWEEK. "The fact that your one email account, in reality, can give someone access to a hundred other accounts really catches people by surprise," Snyder said.
While the use of easy-to-guess passwords and the reuse of a single password across multiple accounts are the major threats to the security of online accounts, criminals are increasingly finding ways to abuse the account-recovery options of online services. In June 2012, attackers intent on taking control of Web-infrastructure firm CloudFlare rerouted the CEO's voice mail and then used his Gmail account recovery to reset corporate passwords. While the company reacted quickly, the attackers gained access to sensitive corporate accounts before CloudFlare regained control.