University Email Accounts for Sale in China

September 9, 2014

An email address from a prestigious university and access to its library and other services can now be yours for the low, low price of 16 cents!

But wait -- there’s more!

The IT security company Palo Alto Networks last week found email accounts from 42 universities worldwide -- 19 of them in the U.S. -- for sale on Taobao, China’s version of eBay. The site is owned by the massive Alibaba Group, which specializes in ecommerce. Accounts from universities in Australia, Canada, China, Denmark, Switzerland and the United Kingdom are also listed for sale.

Some accounts can be purchased for as little as 1 Chinese yuan, or about 16 cents, but prices for the most expensive accounts reached 2,400 Chinese yuan -- about $390, based on Monday’s exchange rates. The accounts all come with valid passwords, and the listings “guaranteed that all email accounts were valid, accessible, and active.”

Universities in the U.S. are routinely bombarded with malicious attacks originating in countries such as China. Armed with a university email address, hackers may gain a trusted platform from which to launch those attacks. For example, an administrator or faculty member may not think twice about whether an email is actually a phishing attack meant to steal their credentials when it comes from a valid university account.

In fact, Palo Alto Networks found many buyers may be using the email accounts to score discounts around the Internet. Several listings walked potential buyers through the process of using their newly acquired “.edu” accounts to secure cheap software deals or memberships with online retailers. Others may use the accounts to access academic databases, journals and other resources universities subscribe to.

If the accounts are only being used for online discounts, universities don’t have any way to track it, a spokesman for Purdue University said. The institution is one of the 19 listed in the analysis. But if the buyers attempt to access Purdue’s network, he said, “then yes, they do have ways to detect that.”

The spokesman declined to go into detail to avoid compromising Purdue’s network security, as is usually the case when universities discuss the topic.

Palo Alto Networks were able to get in touch with several sellers, one of whom explained how the accounts ended up on Taobao to begin with.

“A well-stocked seller told us that every account he sold belonged to an active student at the respective university,” analysts Claud Xiao and Rob Downs wrote. “He claimed that once the account was sold, only the one buyer and the legitimate user would have access.”

Those accounts were also the least expensive. For a slightly higher price, buyers could request customized addresses. To verify the listings weren’t scams, the analysts bought an account and received a working email address four hours later.

The analysts have reported the accounts to Taobao, which is reportedly working on addressing the issue.

Be the first to know.
Get our free daily newsletter.


+ -

Expand commentsHide comments  —   Join the conversation!

Opinions on Inside Higher Ed

Inside Higher Ed’s Blog U

What Others Are Reading

  • Viewed
  • Past:
  • Day
  • Week
  • Month
  • Year
Back to Top