“With financially-sensitive information constantly flowing through company emails, these inboxes are lucrative targets for attackers.”
A service to compromise corporate email accounts is available on the dark web for as little as $150 (£115), according to research by Digital Shadows published today.
The San Francisco-based company outlined the declining barriers to entry for corporate email fraud in a new piece of research that emphasised the rise in Hacking-as-a-Service, including the offer of profit sharing from such credential exploitation.
The research comes after the company earlier this year noted in its “Too Much Information” report that 1.5 billion files were exposed across the internet’s most ubiquitous file sharing services. That includes 64 million files in the UK alone – the equivalent to one file for nearly everyone in the country.
33,000 Corporate Emails + Passwords For Sale
In today’s research, the company said that it has detected more than 33,000 email addresses of finance departments that have been exposed through third party compromises. Within that number over 80 percent of the emails have password information attached or associated with them.
Digital Shadows point out in their research that: “If these passwords have been reused for corporate accounts, this may leave organizations at risk to account takeovers.”
“If a cyber-criminal gains access to a corporate email account, the type of information they can access is perfect for conducting a business email compromise campaign. Contracts, invoices and purchase orders will all be stored in these inboxes.”
Digital Shadows provide a case study in their research where they used human intelligence gathering to interact with a threat actor online.
The threat actor sought the emails from accounting departments of specific targets and made clear what type of format is required, such as accountspayable@”, “accountsreceivables@”, “payables@”, and “receivables@”.
Emphasising the rise of hacking-as-a-service, Digital Shadows said that: “Rather than paying a set fee for credentials, the actor offered to pay 20% of the proceeds they would make. What was striking about this campaign was how targeted it was; the actor specified 100 targets, most commonly construction, property, public services and higher education.”
Construction firms were the most popular, out of 99 targets construction companies made up 56 of them, with education entities the second highest target at 18.
However Rafael Amado Strategy and Research Analyst at Digital Shadows told us that these figures represent this particular mercenary hacker’s interest.
He told Computer Business Review: “From talking with this threat actor it become clear that they had in depth knowledge of the specific companies within this sector.”
“We concurred from our discussions that it was factors such as the high value of supplier invoices – for construction materials etc. that was an attractive factor since a successful BEC attempt could yield relatively high returns.”
Digital Shadows researchers not only showed that there is a vibrant market in hack as a service, but they also found ample evidence of individuals willing to spend large sums of money to obtain company emails that contain “ap@”, “ar@”, “accounting@”, “accountreceivable@”, “accountpayable@”, and “invoice@”.
“These credentials are considered so valuable that the individual is offering up to $5,000. Other actors will instead offer a percentage of the total earnings in return for access to these inboxes,” the researchers noted.
In order to stay ahead of these types of threat Digital Shadows recommended that: “Organizations should detect when their accounting emails are compromised, and ensure the passwords are not re-used for corporate accounts. Furthermore, finance departments should limit the extent to which they sign up for third party services with the department email account.”