Cyber Attackers have just discovered new ways to invade and breach corporate email accounts, which has resulted in a US$12-Billion cost to businesses over the last 3-5 years, according to Digital Shadows.
Compromised corporate email accounts are commonly traded on the dark web, where criminals can earn a pretty penny, particularly if the email accounts are those of employees in accounting or finance departments, or most especially those holding key positions in major finance companies.
According to the report, researchers detected more than 32,000 email addresses of finance departments that had been exposed by third parties. Of those, almost 80% included passwords. On dot-com domains, the research found more than 18,000 credentials exposed.
It also includes images of exchanges on a special-access dark web forum where a criminal is looking for accounting emails from companies in the United States and South Africa.
These fraudsters are financially motivated. They have expanded their attack methods beyond the commonly used, and quite reliable, phishing attacks to include account takeover attacks or simply paying for access. In one online forum, a hacker is asking for as little as US$150 to break into corporate email accounts, suggesting that cyber-criminals are winning in the digital war on fraud.
With social engineering and email spoofing, they are using more targeted campaigns. All the while, companies are inadvertently making it easier for them to breach corporate email accounts.
In fact, according to the report, entire company email inboxes have been left exposed on the internet, which translates to more than 12 million archived files exposed because of misconfigurations in rsync, FTP, SMB, S3 buckets and NAS drives.
Researchers also discovered sensitive, personal and financial information exposed on more than 23,000 billing invoices, more than 5,000 purchase orders and 20,000 payment records as a result of faulty backups and unsecured networks.
Phishing continues to be a very serious problem associated with business email compromise, but, unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down.
Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online. With the right knowledge it is relatively easy for cyber-criminals to find whole email boxes and accounting credentials – indeed we found criminals actively looking for them.
We are hoping that these kinds of attacks will make these companies or even other companies aware that the threat is real. This is not a laughing matter and more than the money, the information and identity of people are the ones that should be protected.