Security researchers have exposed a thriving underground market with hackers offering access to business email addresses to crooks who then attempt to carry out frauds.
According to research by security company Digital Shadows for as little as $150, dark web sellers are offering to hack into whichever corporate email account the user wants to gain access to -- with many promising access within a week. In some instances, the sellers state they'll only take the payment after they've proved the target has been compromised.
Researchers at Digital Shadows examined dark web forums and found a large amount of these illicit services on offer, with some users asking for specific accounts to be hacked, while others are offering their account-hacking services in exchange for a fee.
In exchange for acquiring access to the relevant email addresses to help conduct the campaigns, one attacker offered the undercover researcher 20 percent of the profits made.
"That some actors are offering a commission structure reflects how easy it is to acquire compromised email accounts online. With so many in circulation, some actors prefer the quality of the account and the potential rewards from them rather than simply having access to a hundred low-level emails," Rafael Amado, strategy and research analyst at Digital Shadows told ZDNet.
"The commission structure would appeal if the attacker was targeting high-value victims, where the commission gained here would be far higher than paying a set fee for a set of low-level accounts with little financial value".
By acquiring access to these email addresses by employing the skills of another dark web user, the attacker can then conducting their own phishing and social engineering schemes in an effort to trick corporate accounts departments into transferring them a large sum of money.
Perhaps more worryingly, some companies don't even need to be hacked. Digital Shadows discovered entire company email inboxes exposed -- over 12 million email archive files (.eml, .msg, .pst, .ost, .mbox) publicly available across misconfigured rsync, FTP, SMB, S3 buckets, and NAS drives. It also found 27,000 invoices, 7,000 purchase orders, and 21,000 payment records.
According to the FBI, business email compromise attacks have cost organisations over $12bn over the last five years -- if an attacker can make commission on one of these big attacks, it could be very lucrative; assuming their partner pays up, that is.
With large profits potentially available, it's no wonder that compromised email accounts of finance and accounting departments are a highly sought after commodity -- which is why some dark web users are willing to pay large amounts to gain access.
Researchers uncovered various posts on underground forums in which users were offering $5,000 up front for access to hacked company email addresses, with accounts departments in high demand. $5,000 might seem a lot to pay for some email addresses, but for those with the knowledge of how to exploit them, there's potentially millions of dollars to be made.
In order to ensure organisations are protected against business email compromise, Digital Shadows recommends that security awareness training is updated as new attacks come to light and that organisations should include business email compromise in their incident response and business continuity planning.
It's also recommended that wire transfers of large sums of money should need to be approved by multiple people and that organisations should continuously monitor for exposed credentials so they know if they could potentially be at higher risk.
Companies should build the risk of business email compromise into their contingency plans, just as they have built ransomware and destructive malware into their incident response and business continuity planning, said Amado.
READ MORE ON CYBER CRIME
- Phishing warning: One in every one hundred emails is now a hacking attempt
- Why that email from your boss could be a scam waiting to happen TechRepublic
- BEC scam artist ordered to pay back $2.5 million, lands hefty prison sentence
- Researchers find stolen military drone secrets for sale on the dark web CNET
- Cyber threat intelligence versus business risk intelligence: What you need to know