Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 25: Email Tripwire – How to Tell if My Email Has Been Hacked Into

How can you tell if someone is reading your email? Recently there has been concern about not just hacker but also employees of companies, administrators and so on who can access your account. Even in a non-nefarious situation it’s still important to know that someone has been looking through your inbox.

Jer took me on a trip down memory lane and asked me to look into an old blog post he had written a while back about how you can detect if your webmail account has been hacked into. The theory is simple, send yourself an HTML encoded MIME email, attach a reference to an image, and when the image is called you know someone has read that email.

By looking through your logs and identifying if the image ever loads, you’ll be able to tell that someone has looked through your email. It’s not bullet-proof and doesn’t work on all types of mail clients, for a number of reasons, but it’s a solid idea.

So I went back and wrote a little Perl script called “emailtripwire” that sends just such an email. I tested it on Yahoo mail and it worked perfectly. Google had delivery issues that I never got around to diagnosing. Outlook works great if you allow the image to load once – Outlook remembers that and will continue to do so, however that setting may be dependent on your local setup and may not carry over to other Outlook installs. But it does appear to work, and that’s the important part.

Using your own server to host the image is naturally the best solution if you already have a server, but a lot of people don’t have access to their own server. Instead, people interested in this technique can use an image-based tracking server like Fraudlog that can show you when someone has visited the image after reading the email.

So it is still possible to use this method to detect if your email has been compromised or detect when someone like an administrator has been in your account, even without the ability to host your own image. Sometimes it’s the simple tricks that work the best!

Resources:

Facebook explains when employees can access your account without your password

How to check if your WebMail account has been hacked

emailtripwire

Fraudlog