Digital Shadows has announced the findings of new research revealing the diversity of methods used to infiltrate company emails. The FBI has estimated that scams resulting from business email compromise – such as fake invoices and wire fraud – have cost businesses $12bn globally over the last five years.
Email inboxes exposed
While phishing is a common means of attack, the research reveals criminals are resorting to a wide variety of methods to access business email accounts. But in many cases, companies are inadvertently making it easy for cybercriminals.
Digital Shadows discovered entire company email inboxes exposed – over 12 million email archive files (.eml, .msg, .pst, .ost, .mbox) publicly available across misconfigured rsync, FTP, SMB, S3 buckets, and NAS drives. By improperly backing up these archives, employees and contractors are unwittingly exposing sensitive, personal and financial information – Digital Shadows discovered 27,000 invoices, 7,000 purchase orders, and 21,000 payment records.
Finance professionals, in particular, are in the firing line. 33,568 finance department email addresses have been exposed in third-party breaches and are circulating on criminal forums. Of these, 83% (27,992) have passwords associated with them. Researchers detected criminals specifically searching for company emails that contained common accounting domains such as “ap@,” “ar@”, “accounting@,” “accountreceivable@,” “accountpayable@” and “invoice@.” These credentials are considered so valuable that one individual is offering up to $5,000 for a single username and password pair.
BEC-as-a-Service with results available in a week or less
For criminals looking to outsource their work, Digital Shadows noted that BEC-as-a-Service is widely available for as little as $150 – with results available in a week or less.
Alternatively, some cybercriminals are offering a percentage revenue share of the total earnings in return for access to inboxes. As an example, one cybercriminal specializing in the construction sector, engaged with researchers via the Jabber instant message service offering a 20% cut of the total proceeds that could be harvested from exploiting email vulnerabilities.
“Phishing continues to be a very serious problem associated with business email compromise but unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down. Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online. With the right knowledge it is relatively easy for cybercriminals to find whole email boxes and accounting credentials – indeed we found criminals actively looking for them,” said Rick Holland, CISO at Digital Shadows.
Holland continues: “Naturally as the return on investment from acquiring such sensitive information are so high, we also found cybercriminals actively collaborating with each other to target specific companies. Organizations can never mitigate these issues entirely; however, it is within their power to at least tighten up on their own processes to ensure that their data exposure is kept to a minimum.”
How to reduce risk
Digital Shadows recommends these seven steps for organizations that want to reduce their risk:
- Update security awareness training content to include the Business Email Compromise (BEC) scenario
- Include BEC within incident response/business continuity planning
- Work with wire transfer application vendors to build in manual controls, as well as multiple person authorizations to approve significant wire transfers
- Continuously monitor for exposed credentials. This is particularly important for finance department emails
- Conduct ongoing assessments of executives’ digital footprints – threat actors will perform their reconnaissance on high-value targets. Start with using Google Alerts to track new web content related to them
- Prevent email archives being publicly exposed
- Businesses should be aware of the risks of their contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default.