This dark web market is dedicated to compromising your emails

Some attackers are willing to part with large amounts of money in order to gain access to accounts they believe they can exploit in business email compromise scams.
Written by Danny Palmer, Senior Writer

Security researchers have exposed a thriving underground market with hackers offering access to business email addresses to crooks who then attempt to carry out frauds.

According to research by security company Digital Shadows for as little as $150, dark web sellers are offering to hack into whichever corporate email account the user wants to gain access to -- with many promising access within a week. In some instances, the sellers state they'll only take the payment after they've proved the target has been compromised.

Researchers at Digital Shadows examined dark web forums and found a large amount of these illicit services on offer, with some users asking for specific accounts to be hacked, while others are offering their account-hacking services in exchange for a fee.

In exchange for acquiring access to the relevant email addresses to help conduct the campaigns, one attacker offered the undercover researcher 20 percent of the profits made.

"That some actors are offering a commission structure reflects how easy it is to acquire compromised email accounts online. With so many in circulation, some actors prefer the quality of the account and the potential rewards from them rather than simply having access to a hundred low-level emails," Rafael Amado, strategy and research analyst at Digital Shadows told ZDNet.

"The commission structure would appeal if the attacker was targeting high-value victims, where the commission gained here would be far higher than paying a set fee for a set of low-level accounts with little financial value".

SEE: What is phishing? Everything you need to know to protect yourself from scam emails and more

By acquiring access to these email addresses by employing the skills of another dark web user, the attacker can then conducting their own phishing and social engineering schemes in an effort to trick corporate accounts departments into transferring them a large sum of money.

Perhaps more worryingly, some companies don't even need to be hacked. Digital Shadows discovered entire company email inboxes exposed -- over 12 million email archive files (.eml, .msg, .pst, .ost, .mbox) publicly available across misconfigured rsync, FTP, SMB, S3 buckets, and NAS drives. It also found 27,000 invoices, 7,000 purchase orders, and 21,000 payment records.

According to the FBI, business email compromise attacks have cost organisations over $12bn over the last five years -- if an attacker can make commission on one of these big attacks, it could be very lucrative; assuming their partner pays up, that is.

With large profits potentially available, it's no wonder that compromised email accounts of finance and accounting departments are a highly sought after commodity -- which is why some dark web users are willing to pay large amounts to gain access.

Researchers uncovered various posts on underground forums in which users were offering $5,000 up front for access to hacked company email addresses, with accounts departments in high demand. $5,000 might seem a lot to pay for some email addresses, but for those with the knowledge of how to exploit them, there's potentially millions of dollars to be made.

In order to ensure organisations are protected against business email compromise, Digital Shadows recommends that security awareness training is updated as new attacks come to light and that organisations should include business email compromise in their incident response and business continuity planning.

It's also recommended that wire transfers of large sums of money should need to be approved by multiple people and that organisations should continuously monitor for exposed credentials so they know if they could potentially be at higher risk.

Companies should build the risk of business email compromise into their contingency plans, just as they have built ransomware and destructive malware into their incident response and business continuity planning, said Amado.


Editorial standards