Sergey Nivens -

Business email compromise made easy for cyber criminals

Poor security practices and access to hacking services are making it easy for cyber criminals to compromise business email, research reveals

Around 12.5 million company email boxes and 33,000 finance department credentials are openly accessible on the web, research from digital risk management and threat intelligence firm Digital Shadows has found.

This is making it easier for cyber criminals to compromise business email accounts to trick employees into helping them carry out fraud and other criminal activities.

The criminals are also being assisted by business email compromise (BEC) services advertised on the dark web, with hacked accounts available from $150 and delivered within a week, according to the security firm’s research, which revealed a wide range of methods used to infiltrate company emails.

The FBI has estimated that scams resulting from business email compromise, such as fake invoices and wire fraud, have cost businesses $12bn globally over the past five years. Typically, attackers send an email from a compromised executive’s account to an employee in the finance department instructing them to transfer funds into bank accounts controlled by the criminals.

While phishing is a common means of attack for tricking targeted people into revealing their credentials for their email accounts, the research revealed criminals were resorting to a wide variety of other methods to gain to access to business email accounts.

Sensitive, personal and financial information exposed

In many cases, companies are inadvertently making it easy for cyber criminals, the research found. Digital Shadows discovered entire company email inboxes exposed – over 12 million email archive files (.eml, .msg, .pst, .ost, .mbox) publicly available across misconfigured FTP, SMB, Amazon S3 buckets, rsync and network-attached storage (NAS) drives.

By improperly backing up these archives, the research report said employees and contractors were unwittingly exposing sensitive, personal and financial information. Digital Shadows discovered 27,000 publicly accessible invoices, 7,000 purchase orders and 21,000 payment records.

Finance professionals are particularly in the firing line, with 33,568 finance department email addresses exposed in third-party breaches and currently circulating on criminal forums. Of these, 83% (27,992) have passwords associated with them. Digital Shadows detected criminals specifically searching for company emails that contained common accounting domains such as “accounting@”, “accountreceivable@”, “accountpayable@” and “invoice@”.

These credentials are considered so valuable that one individual was found to be offering up to $5,000 for a single username and password pair, the research found.

Seven steps for reducing risk

  • Update security awareness training content to include the business email compromise (BEC) scenario.
  • Include BEC within incident response/business continuity planning.
  • Work with wire transfer application suppliers to build in manual controls, as well as multiple-person authorisations to approve significant wire transfers.
  • Continuously monitor for exposed credentials. This is particularly important for finance department emails.
  • Conduct ongoing assessments of executives’ digital footprints – threat actors will perform their reconnaissance on high-value targets. Start with using Google Alerts to track new web content related to them.
  • Prevent email archives being publicly exposed.
  • Businesses should be aware of the risks of contractors that back up emails on network-attached storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default.

Source: Digital Shadows

Email hacking services widely available

For criminals looking to outsource their work, Digital Shadows noted that business email compromise “as a service” was widely available for as little as $150 – with results available in a week or less. Alternatively, some cyber criminals were offering a percentage revenue share of the total earnings in return for access to inboxes.

As an example, one cyber criminal specialising in the construction sector engaged with Digital Shadows via the Jabber instant message service offering a 20% cut of the total proceeds that could be harvested from exploiting email vulnerabilities.  

Rick Holland, chief information security officer at Digital Shadows, said phishing was far from the only risk, especially as barriers to entry for this type of fraud were coming down.

“Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online. With the right knowledge it is relatively easy for cyber criminals to find whole email boxes and accounting credentials – indeed, we found criminals actively looking for them,” he said.

“Naturally, as the return on investment from acquiring such sensitive information is so high, we also found cyber criminals actively collaborating with each other to target specific companies. Organisations can never mitigate these issues entirely, but it is within their power to at least tighten up on their own processes to ensure that their data exposure is kept to a minimum.”   

Read more about business email compromise


Read more on Hackers and cybercrime prevention

Data Center
Data Management