Has your webmail been hacked?

Posted by Andi Baritchi on September 22, 2008 at 6:00 PM EDT.

With the advent of our recent article from Gunter on how easy it is to hack into webmail accounts and Tom's follow-up on securing those accounts, there is is still one looming question. How do you know if you've been hacked?

The Sarah Palin email fiasco reminded me of a solution I read last year from Jeremiah Grossman. The basic idea is to send a message to yourself with with a subject too juicy for an attacker to resist opening. It's not enough to depend on the unread message indicator though - a smart attacker will cover their tracks and set the message unread again afterwards. We need to use a nonreversible hit counter.

Before sending yourself the email, go to OneStatFree.com or the free counter site of your choice and sign up for a counter. OneStat will send you your account details and a text file with the Javascript code to activate the counter. Rename the text file to an alluring name so it opens directly in a web browser - passwords.htm or similar.  Then send yourself the juicy bait email, perhaps Online Passwords, with the passwords.htm file attached. 

Any time this email is opened, the attacker won't be able to resist also clicking on the passwords.htm file. Bingo. The counter has been incremented. The only thing left to do is add the counter to your daily watch list.

Moving back to prevention for one second - always be careful with "security questions" or "secret questions." These are an oxymoron, and the bane of a security person's existence. The Lifehacker article Tom posted was great advice.

Credits: Jeremiah Grossman, Erik Larkin