[BreachExchange] A hacker is selling access to the email accounts of hundreds of C-level executives

[Destry Winant]

https://www.zdnet.com/article/a-hacker-is-selling-access-to-the-email-accounts-of-hundreds-of-c-level-executives/

A threat actor is currently selling passwords for the email accounts
of hundreds of C-level executives at companies across the world.

The data is being sold on a closed-access underground forum for
Russian-speaking hackers named Exploit.in, ZDNet has learned this
week.

The threat actor is selling email and password combinations for Office
365 and Microsoft accounts, which he claims are owned by high-level
executives occupying functions such as:

CEO - chief executive officer
COO - chief operating officer
CFO - chief financial officer or chief financial controller
CMO - chief marketing officer
CTOs - chief technology officer
President
Vice president
Executive Assistant
Finance Manager
Accountant
Director
Finance Director
Financial Controller
Accounts Payables

Access to any of these accounts is sold for prices ranging from $100
to $1,500, depending on the company size and user's role.

The seller's ad on Exploit.in


A source in the cyber-security community who agreed to contact the
seller to obtain samples has confirmed the validity of the data and
obtained valid credentials for two accounts, the CEO of a US
medium-sized software company and the CFO of an EU-based retail store
chain.

The source, which requested that ZDNet not use its name, is in the
process of notifying the two companies, but also two other companies
for which the seller published account passwords as public proof that
they had valid data to sell.

These were login details for an executive at a UK business management
consulting agency and for the president of a US apparel and
accessories maker.

Sample login provided by the seller as public proof

Image via KELA

The seller refused to share how he obtained the login credentials but
said he had hundreds more to sell.

According to data provided by threat intelligence firm KELA, the same
threat actor had previously expressed interest in buying "Azor logs,"
a term that refers to data collected from computers infected with the
AzorUlt info-stealer trojan.

Infostealer logs almost always contain usernames and passwords that
the trojan extracts from browsers found installed on infected hosts.

This data is often collected by the infostealer operators, who filter
and organize it, and then put it on sale on dedicated markets like
Genesis, on hacking forums, or they sell it to other cybercrime gangs.

"Compromised corporate email credentials can be valuable for
cybercriminals, as they can be monetized in many different ways," KELA
Product Manager Raveed Laeb told ZDNet.

"Attackers can use them for internal communications as part of a 'CEO
scam' - where criminals manipulate employees into wiring them large
sums of money; they can be used in order to access sensitive
information as part of an extortion scheme; or, these credentials can
also be exploited in order to gain access to other internal systems
that require email-based 2FA, in order to move laterally in the
organization and conduct a network intrusion," Laeb added.

But, most likely, the compromised emails will be bought and abused for
CEO scams, also known as BEC scams. According to an FBI report this
year, BEC scams were, by far, the most popular form of cybercrime in
2019, having accounted for half of the cybercrime losses reported last
year.

The easiest way of preventing hackers from monetizing any type of
stolen credentials is to use a two-step verification (2SV) or
two-factor authentication (2FA) solution for your online accounts.
Even if hackers manage to steal login details, they will be useless
without the proper 2SV/2FA additional verifier.