Posted on November 29, 2020 at 2:23 PM
A recent report reveals that a hacker has put up access to hundreds of email accounts from C-level executives for sale. The data contained details of the email accounts of executives from companies all over the world.
Based on the report, the data is sold on Exploit.in, closed-access underground forums for Russian hackers.
The login combination of both username and email are sold for Microsoft accounts as well as Office 365 accounts, from top executives occupying different top-level positions in their organizations.
Details of top executives exposed
These positions include; Chief technology officer, chief marketing officer, chief financial officer, chief operating officer, chief executive officer, Account payables, financial controller, finance director, accountant, finance manager, executive assistant, vice president, as well as president.
A cybersecurity expert who wants to stay anonymous contacted the seller to get samples of the said email account details. He collected valid details of two accounts and confirmed the authenticity of the data. The two valid accounts obtained are from the chief finance officer of an EU-based retail store chain and the chief executive officer of a U.S. medium-sized software company.
The source who collected the data sample wants to inform the two companies. Apart from the data samples collected by the source, there are two more email account details the accounts seller published on the dark web as proof he has authentic account details.
The two shared data contain two login details of the president of a U.S.-based apparel and accessory maker and email details of a U.K. business management consulting agency.
However, the hacker did not provide details about how he came about the stolen data but pointed out that he has hundreds of such data for sale.
Cybersecurity and intelligence unit KELA provided data to show that the same hacker has been involved in other dealings in the past. According to the firm, the same hacker had concluded plans to buy the “Azor logs”, which are sets of logs collected from the AzorUlt info-stealer Trojan.
The info-stealer logs usually contain login account details (username and password) which have been extracted from infiltrated computers by the Trojan. The KELLA researcher believes the threat actor had taken control of these account details with the help of the Trojan. They also believe the hacker was not working alone.
The data is usually gathered by the infostealer operators, after filtering and organizing it. After the organization of the data, it’s usually put up for sale on hacking forums, or sold to other cybercriminals for profit.
Raveed Laeb, product manager of KELA, pointed out that the illegal business of selling stolen data is very profitable for cybercriminals, as it can be monetized in different ways.
“Compromised corporate email credentials can be valuable for cybercriminals, as they can be monetized in many different ways,” he said.
He also added that these cyber gangs have intensified efforts to carry out such transactions using cryptocurrency as the medium of exchange. They can confidently sell the stolen data without being caught or traced through their accounts, unlike with the conventional fiat money.
Stolen data usually bought for BEC scams
Those who are buying the data can store them for future use as part of “SEO Scam”, where threat actors can trick employees into sending them a large amount of money, while the employee thinks the money is being sent legitimately.
Apart from this type of scam, threat actors can also explore the credentials to have access to several other internal systems that need email-based two-factor authentication before carrying out network intrusion.
But most of the compromised emails are bought and utilized for SEO scams, which is also regarded as BEC scams. Last year, the FBI reported that the most common forms of cybercrime in 2019 was BEC scams, as they accounted for more than 50% of all cybercrime losses.
The rate has even increased this year, as cybercriminals are taking advantage of the fact that many employees have been forced to work from home because of the COVID-19 pandemic.