Financial email accounts of 5,000 UK organisations publicly exposed

Companies "making it easy" for attackers to steal sensitive data and sell accounts online

Leaky bucket

The financial details of at least 5,000 UK companies have been exposed in third-party compromises, with attackers selling exposed email accounts for as little as $150 online.

Cyber security firm Digital Shadows found 33,568 finance department email addresses exposed in third-party breaches in its data breach repository, with 4,953 tied with .co.uk domains. Of all the company accounts exposed, 83% had passwords associated.

Advertisement - Article continues below

But concerningly, cyber criminals are able to easily access the 12.5 million email archive files publicly exposed due to improper backup procedures, and wouldn't need to breach an organisation's security in order to do so.

"One issue that this research particularly highlights is the risk posed by third parties and contractors, who are often forgotten about by businesses and security teams when it comes to defending your network and data," Digital Shadows' strategy and research analyst Rafael Amado told IT Pro.

"Often, short-term workers will back up their files and emails on personal NAS drives and leave this misconfigured.

"This issue goes beyond email account compromises. Businesses need to have a better understanding of where all their sensitive data resides and who has access to it. Third parties and suppliers are an important component of this."

Digital Shadows found a wealth of data exposed across misconfigured servers including rsync sites, file transfer protocol (FTP) servers, server message block (SMB), Amazon Web Services (AWS) S3 buckets, and NAS drives. The majority of these files, some 8.5 million, are .EML, while the rest comprise .MSG, .PST, .MBOX and .OST.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Some of these emails are incredibly sensitive, with analysts finding in one instance a whole accounting firm's email correspondence with clients made publicly-available including thousands of invoices and tax returns.

This latest research follows Digital Shadows' findings earlier this year that 12,000TB of data was found publicly exposed in the first three months of 2018 on misconfigured rsync sites, FTP servers, SMB, ASW S3 buckets, misconfigured Websites (WebIndex), and web-connected NAS drives.

The FBI earlier this year estimated that the damage to businesses from the practice known as business email compromise (BEC), including fake invoices and wire fraud, globally cost businesses $12 billion over the last five years.

Once compromised, businesses' financial details are frequently shared and traded on criminal forums and on the dark web.

Hacking services are available for as low as $150, but finance department credentials are lucrative, with Digital Shadows finding individuals offering up to $5,000. Many are searching for company emails that contain ap@, ar@, accounting@, and invoice@, among other terms.

A forum user offering hacking services from as little as $150

Advertisement - Article continues below

Alongside services for acquiring business emails, malicious actors are known to offer between $150 and $500 per compromised businesses email. Some accounts, however, such those based on open web-based email services are more expensive than closed ones.

Through covert interactions, Digital Shadows' analysts engaged with one Russian-speaking threat actor who sought sensitive data from email archives.

In this case study outlined in the research, analysts learned the attacker wanted emails from accounting departments of specific targets and was searching specifically for accounts with accountspayable@, accountsreceivables@, payables@ and receivables@.

Some Dark Web users are paying up to $5,000 for hacked email accounts

The attacker specified 100 targets in this campaign, including organisations in construction (56), education (18), property (10) sectors, as well as 15 other companies. The majority of these were based in the UK, Australia, and Singapore.

"Business Email Compromise is becoming increasingly profitable for threats actors, who are conducting highly targeted campaigns," the research said. "Unfortunately, we're making it easy for adversaries to gain access to the precious information that sits within email inboxes."

Advertisement - Article continues below

Digital Shadows recommended seven steps for employees and businesses to take to bolster their protection against BEC. These include updating security awareness training to include such scenarios, as well as building them into contingency plans.

Analysts also recommended that manual controls be implemented in wire transfer applications which can monitor for exposed credentials.

But above all, preventing email archives from being publicly exposed is crucial. Risks can be mitigated by using strong, unique passwords and disabling guest access, as well as whitelisting IP addresses if an internet connection, or passwordless-access, is needed.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020