Sales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company

Multiple security professionals said stolen credentials on Exploit.in were part of a tidal wave of business email compromise attacks.

email-data-phishing-with-cyber-thief-hide-behind-laptop-computer-vector-id1164097820-1.jpg

Image: iStock/OrnRin

A hacker began selling access to hundreds of stolen executive email accounts last Friday, ZDNet reported. Email and password combinations are being sold for anywhere from $100 to $1,500 on Exploit.in, an underground hacker forum populated by Russian speakers. 

The login information has been verified by cybersecurity teams and are for Office 365 and Microsoft accounts of CEOs, COOs, CFOs, CTOs and other senior positions. ZDNet reported that a security team has seen the login information from the CFO of European retail outlet and the CEO of a US-based software company.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The person behind the leak said he has hundreds of credentials for sale, and experts told TechRepublic that while it is still unclear how original or real the batch of information is, the consequences would be devastating for any company named in the leak.

Javvad Malik, security awareness advocate at cybersecurity company KnowBe4, called email account access the "crown jewels" for anyone looking to damage an organization, and the accounts of C-level executives were even more integral to an enterprise. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

"With access to an executives email, there is no limit to what a criminal can do. Not only can they send out phishing emails on behalf of the exec to defraud the company or its customers, but they can set up email rules which automatically forward emails to an external email address. These rules will remain functioning even if the account password is changed," Malik said. 

"It's possible that these email accounts and passwords were captured through phishing or because the execs were re-using the same password elsewhere." 

The leaked batch of account information is part of a much larger trend of cybercriminals going after the accounts of CEOs and executives at hundreds of companies. Most recently, hackers have made a point of attacking pharmaceutical executives

Adam Darrah, director of intelligence at Vigilante, said the seller who was alleged to have access to the data has been banned from the forum for unknown reasons. 

"This is not an uncommon practice within the economic underground because when a news story causes an increase in unwanted attention by media, researchers, and impersonators alike, the actor or actors in question, including forum moderators and administrators, would prefer things to cool down on the forum before a 'return to normal' status," Darrah said. "Also, if the actor in question did in fact have the compromised credentials in question, there are plenty of other options for them outside of underground forum communities in which to sell the data."

Netenrich CISO Brandon Hoffman noted that Exploit.in is a well-known and exceedingly popular closed-source forum that cybercriminals use to ply their trade.

Many threat actors flock to the forum to routinely sell access to hundreds or thousands of credentials each day, he said, adding that it was common for information like this to be sourced from Azorult logs. 

"Azorult has been the info stealer of choice by cybercriminals for easily the past two years if not longer. There are massive volumes of Azorult logs that are easily found and accessed by lay people. Once the cybercriminal determines there is no value in the remaining logs that haven't been purchased, they will generally release them for 'public' consumption," Hoffman explained.

"If one wanted to see a sample of Azorult logs and the related formats and data they can be found in sites like Virus Total if you know where to look. These logs are used to fuel a wide range of scams and attacks."

Most security experts said the situation was yet another example of why it was crucial that all enterprises, and really anyone who uses the internet, to have multifactor authentication engaged. 

But some questioned whether multifactor authentication was enough to protect account information considering the number of Office 365 breaches that continue to occur. 

Account takeover breaches are the fastest growing and most prevalent, adversely impacting organizations' reputations and incurring financial consequences, according to Chris Morales, head of security analytics at Vectra.

"This compromise of executive accounts coincides with a huge transition to remote work—a result of the ongoing COVID-19 pandemic—and the increased adoption of SaaS platforms, like Microsoft Office 365, as the daily go-to digital workspaces," Morales said. "While Office 365 provides the distributed workforce with a primary domain to conduct business, it also creates a central repository of data and information that's a prime target for attackers to exploit."

The increasing frequency of these attacks was worrying to security analysts who said tens of thousands of computers are infected every week with information stealing Trojans designed to steal every account credential that isn't nailed to the desktop. 

Most companies still have hundreds if not thousands of accounts that share a password with ones stolen in the LinkedIn breach from over four years ago, said Chet Wisniewski, principal research scientist at Sophos, adding that when combined with credentials harvested through phishing attacks and these info stealers, "you have to assume most companies have at least one important person in a similar position."

Richard Hosgood, director of engineering at Votiro, echoed those concerns and told TechRepublic that many companies' high-level executives tend to have similar access to administrators in their corporate network. 

Hosgood compared having access to an Office 365 account username and password to giving hackers access to internal corporate servers because most online accounts and passwords are synchronized between Office 365 and the internal domain controllers. 

Rise of Business Email Compromise

Multiple security experts said the stolen credentials were part of a tidal wave of business email compromise (BEC) attacks that are increasingly becoming a major problem for enterprises. 

Kacey Clark, threat researcher at Digital Shadows, said that for the fifth year running, BEC attacks, a specialized form of phishing, comprise the highest reported financial loss, a whopping $1.8 billion in 2019. 

"Credentials belonging to high-ranking employees are precious to malicious actors, as they can leverage login data to carry out additional attacks, such as spearphishing and fraud. The fallout from a credential breach extends beyond an organization and to its customers. The relevant accounts can hold (or have access to) incredibly sensitive information," Clark explained.

"An attacker who gets their hands on credentials for valid accounts could inflict untold damage: Logging into internal databases, exfiltrating sensitive data, or launching social-engineering attacks.

Clark went on to say that while two-factor authentication is better than nothing, it was becoming clear that it isn't infallible based on previous attacks. Cybercriminals now frequently discuss methods to bypass two-factor authentication on forums and she said that in December 2019, one Exploit.in user "created a thread to sell a process that would bypass 2FA systems at a United States-based online bank." 

The cybercriminal claimed their system would allow access to every seven to nine out of ten accounts without requiring SMS verification and valued their offer at $5,000.

Colin Bastable, CEO of Lucy Security, said BEC attacks are unique in that they rely on human behavior rather than sophisticated technology. Typical BEC scams use an authentic-looking email from a top executive to deceive subordinates into transferring money.  

Bastable noted that the FBI reported that BEC scams cost enterprises more than $26 billion worldwide between 2016 and 2019, while these scams accounted for half of all cybercrime losses in 2019.

"Rather than launch a mass attack against hundreds or thousands of unknown targets, BEC scams focus on a single target. The attackers patiently research companies to pinpoint the right executive. They analyze the company's website and other publicly-available information to identify senior personnel, determine the chain of command, track important customers, even study the email style of the executive they target, sometimes researching for as long as a month or more," Bastable said. 

According to Bastable, cybercriminals will often use social engineering scams to break into the network and steal an executive's credentials. They will then email a subordinate asking for immediate transfer of funds. 

"It's always for a credible reason—a last-minute acquisition or a late payment to a partner or supplier. Because of the urgency, the fraudster asks the employee to wire the funds to a different account than usual and keep their actions confidential. Thanks to the hacker's due diligence, the email looks authentic and the employee wires money—right to the bank account of the scammer," Bastable explained. 

Some cybercriminals are able to spoof CEO emails even without stealing their account information, and many BEC attacks feature attackers impersonating clients, employees and vendors. 

Need for a "Culture of Security"

Security experts aired a number of different solutions to these types of attacks. Malik said that it's important for all employees, including execs, to use unique and individual passwords for each account, enable multifactor or two factor authentication if available, and regularly monitor accounts to see if there have been any rules set up or any sessions are active which look out of place. 

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said organizations must adopt a culture of security starting with executive leadership including ensuring that management employees choose strong passwords and not reuse them across multiple websites or applications." 

"Additional best practices like separating accounts with administrative privileges from accounts used for day-to-day computing can help protect from widespread damage from compromise.  Finally it is important that organizations ensure that their financial institutions require telephone verification for any monetary transfers over a certain amount," Clements said. 

Also see