A gas can full of snake bile, breast-milk soap, the head of Tom Cruise—those are just some of the odd things you can buy on Alibaba’s Taobao, China’s biggest consumer-to-consumer online marketplace. Add to that a fake or stolen university email addresses. In an investigation last week, IT security company Palo Alto Networks found email accounts from 42 universities for sale on Taobao, ranging from 0.98 yuan to 2,400 yuan ($0.16 to $390).
What “.edu” accounts were up for grabs? The 19 US universities included many Ivy League colleges, Massachusetts Institute of Technology, Duke, Stanford, as well as some less obvious choices to claim as one’s fake alma mater (e.g. University of California, Merced).
The National University of Singapore and UK’s Imperial College London had accounts available, as did Sweden’s Karolinska Institutet, Denmark’s Aarhus Universitet, and Australia’s University of Melbourne. More than a dozen of those for sale were from prominent universities in China.
The pricier email accounts were those associated with leading universities that can be used to access library services, online journals, and other digital services. Sellers of these accounts told Palo Alto Networks that the account information for sale had been stolen. For instance, while one recommended that the buyer keep the password the same to risk attracting the notice of the legitimate owner, another offered information about the user’s real identity to help his customers pass security information necessary to change the password.
Cheaper sale items were associated with Microsoft student developer email accounts that can be used to “unlock” Windows phones without incurring a fee. As Palo Alto Networks points out, this seems to be the most popular reason for purchasing a fake university email address, with at least 569 sold.
Another common ad for email accounts was for use receiving student discounts at Amazon, BestBuy, Apple, and other retailers.
Palo Alto Networks says that after it informed Taobao of its findings on Aug. 27, the company responded by saying that it had removed several ads and was working to address the issue. And while Quartz’s search of Taobao still brings up ads for Amazon Student Prime and Windows phone-unlocking, none for library and other services was found.
However, as the security firm notes, the fact that what seem to be stolen accounts were actively selling on Taobao suggests that many universities’ online security regimes are lax enough that email accounts could be used for nefarious purposes, such as phishing scams. This prospect is all the more disquieting given the recent spate of cyber attacks coming from China. Purdue University, one of the schools whose email accounts were for sale on Taobao, told Inside Higher Ed that it doesn’t have any way of tracking “.edu” accounts used for retail discounts, but can detect newly created accounts used to access its network. However, detecting the impersonation of an active student is likely another matter entirely.