A hacker is selling access to the email accounts of hundreds of C-level executives

Access is sold for $100 to $1500 per account, depending on the company size and exec role.
Written by Catalin Cimpanu, Contributor
CEO executive
Image: Ryoji Iwata

A threat actor is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world.

The data is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.inZDNet has learned this week.

The threat actor is selling email and password combinations for Office 365 and Microsoft accounts, which he claims are owned by high-level executives occupying functions such as:

  • CEO - chief executive officer
  • COO - chief operating officer
  • CFO - chief financial officer or chief financial controller
  • CMO - chief marketing officer
  • CTOs - chief technology officer
  • President
  • Vice president
  • Executive Assistant
  • Finance Manager
  • Accountant
  • Director
  • Finance Director
  • Financial Controller
  • Accounts Payables

Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user's role.


The seller's ad on Exploit.in

Image via KELA

A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.

The source, which requested that ZDNet not use its name, is in the process of notifying the two companies, but also two other companies for which the seller published account passwords as public proof that they had valid data to sell.

These were login details for an executive at a UK business management consulting agency and for the president of a US apparel and accessories maker.


Sample login provided by the seller as public proof

Image via KELA

The seller refused to share how he obtained the login credentials but said he had hundreds more to sell.

According to data provided by threat intelligence firm KELA, the same threat actor had previously expressed interest in buying "Azor logs," a term that refers to data collected from computers infected with the AzorUlt info-stealer trojan.

Infostealer logs almost always contain usernames and passwords that the trojan extracts from browsers found installed on infected hosts.

This data is often collected by the infostealer operators, who filter and organize it, and then put it on sale on dedicated markets like Genesis, on hacking forums, or they sell it to other cybercrime gangs.

"Compromised corporate email credentials can be valuable for cybercriminals, as they can be monetized in many different ways," KELA Product Manager Raveed Laeb told ZDNet.

"Attackers can use them for internal communications as part of a 'CEO scam' - where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme; or, these credentials can also be exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion," Laeb added.

But, most likely, the compromised emails will be bought and abused for CEO scams, also known as BEC scams. According to an FBI report this year, BEC scams were, by far, the most popular form of cybercrime in 2019, having accounted for half of the cybercrime losses reported last year.

The easiest way of preventing hackers from monetizing any type of stolen credentials is to use a two-step verification (2SV) or two-factor authentication (2FA) solution for your online accounts. Even if hackers manage to steal login details, they will be useless without the proper 2SV/2FA additional verifier.

Editorial standards