14 DAY TRIAL // Individuals engaged in e-commerce activity on Chinese online shopping platform Taobao offer for sale stolen email accounts belonging to top universities across the world.
The accounts offer various benefits, which include registration to software developer programs, discounts from certain retailers, as well as access to academic databases.
Provider of network security solutions Palo Alto Networks found the information available for sale after searching the listings on Taobao for “edu mailbox.” The result returned 99 entries of email addresses and passwords for 42 top universities from ten countries.
19 educational institutions in the US were robbed of the accounts, among the owners being MIT, Stanford, Yale, Princeton, Harvard, Purdue, Columbia, Cornell, University of Chicago, and New York University.
Next is China, with email accounts stolen from 14 institutions. South East University, Peking University, Shanghhai Jiao Tong University, Hong Kong University and China University of Geosciences were among the owners.
However, email accounts from similar organizations in Denmark (Aarhus Universitet), Italy (Università di Bologna), Sweden (Karolinska Institutet), Switzerland (ETH Zürich), UK (Imperial College London), Australia (University of Melbourne) and Canada (Toronto University) were also on the listings.
The sellers advertised the email accounts as being valid, accessible and active, also adding a description of the benefits they provide.
Prices ranged from 0.98 RMB ($0.16 / €0.12) to 2400 RMB ($390 / €300), one of the most popular being sold at least 569 times and offering the possibility to perform a developer unlock on Windows Phone devices without having to pay the regular fee.
In other cases, the email accounts would offer significant student discounts at different retailers, such as Amazon, BestBuy, Apple and Dell.
Access to restricted content from a university was the third benefit touted by the sellers. This included tapping into resources from the library, as well as documentation and research studies.
The Palo Alto Networks researchers were able to talk to some of the sellers and found that some of them offered real accounts belonging to students, guaranteeing that once the transaction was completed, only the legitimate owner and the buyer could access the account.
Services like providing identity details that would allow changing the password or creating a custom email address were also advertised on Taobao.
Since these are illegal activities, the sellers protected their identity by purchasing one online. Taobao has been alerted of the criminal work and replied that the issue would be corrected, although in some of the cases additional investigation would be required.
The risks stemming from the compromise of the accounts include phishing attacks, which could lead an attacker to sensitive information relating to research and even financial data.
On the bright side, Palo Alto Networks says that some of the educational organizations have two-step verification feature set in place to protect against fraudulent email account log-ins.