View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 4, 2018

Corporate Emails and Passwords: Yours for £115, Research Shows

"With financially-sensitive information constantly flowing through company emails, these inboxes are lucrative targets for attackers."

By CBR Staff Writer

A service to compromise corporate email accounts is available on the dark web for as little as $150 (£115), according to research by Digital Shadows published today.

The San Francisco-based company outlined the declining barriers to entry for corporate email fraud in a new piece of research that emphasised the rise in Hacking-as-a-Service, including the offer of profit sharing from such credential exploitation.

The research comes after the company earlier this year noted in its “Too Much Information” report that 1.5 billion files were exposed across the internet’s most ubiquitous file sharing services. That includes 64 million files in the UK alone – the equivalent to one file for nearly everyone in the country.

33,000 Corporate Emails + Passwords For Sale

In today’s research, the company said that it has detected more than 33,000 email addresses of finance departments that have been exposed through third party compromises. Within that number over 80 percent of the emails have password information attached or associated with them.

Digital Shadows point out in their research that: “If these passwords have been reused for corporate accounts, this may leave organizations at risk to account takeovers.”

“If a cyber-criminal gains access to a corporate email account, the type of information they can access is perfect for conducting a business email compromise campaign. Contracts, invoices and purchase orders will all be stored in these inboxes.”

digital shadowsDigital Shadows provide a case study in their research where they used human intelligence gathering to interact with a threat actor online.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

The threat actor sought the emails from accounting departments of specific targets and made clear what type of format is required, such as accountspayable@”, “accountsreceivables@”, “payables@”, and “receivables@”.

Digital Shadows

Emphasising the rise of hacking-as-a-service, Digital Shadows said that: “Rather than paying a set fee for credentials, the actor offered to pay 20% of the proceeds they would make. What was striking about this campaign was how targeted it was; the actor specified 100 targets, most commonly construction, property, public services and higher education.”

Construction firms were the most popular, out of 99 targets construction companies made up 56 of them, with education entities the second highest target at 18.

However Rafael Amado Strategy and Research Analyst at Digital Shadows told us that these figures represent this particular mercenary hacker’s interest.

He told Computer Business Review: “From talking with this threat actor it become clear that they had in depth knowledge of the specific companies within this sector.”

“We concurred from our discussions that it was factors such as the high value of supplier invoices – for construction materials etc. that was an attractive factor since a successful BEC attempt could yield relatively high returns.”

See Also: LastPass Survey Reveals Smaller Companies Lead the Way in Password Security

Digital Shadows researchers not only showed that there is a vibrant market in hack as a service, but they also found ample evidence of individuals willing to spend large sums of money to obtain company emails that contain “ap@”, “ar@”, “accounting@”, “accountreceivable@”, “accountpayable@”, and “invoice@”.

“These credentials are considered so valuable that the individual is offering up to $5,000. Other actors will instead offer a percentage of the total earnings in return for access to these inboxes,” the researchers noted.

In order to stay ahead of these types of threat Digital Shadows recommended that: “Organizations should detect when their accounting emails are compromised, and ensure the passwords are not re-used for corporate accounts. Furthermore, finance departments should limit the extent to which they sign up for third party services with the department email account.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.