Financial email accounts of 5,000 UK organisations publicly exposed

Companies "making it easy" for attackers to steal sensitive data and sell accounts online

Leaky bucket

The financial details of at least 5,000 UK companies have been exposed in third-party compromises, with attackers selling exposed email accounts for as little as $150 online.

Cyber security firm Digital Shadows found 33,568 finance department email addresses exposed in third-party breaches in its data breach repository, with 4,953 tied with .co.uk domains. Of all the company accounts exposed, 83% had passwords associated.

Advertisement - Article continues below

But concerningly, cyber criminals are able to easily access the 12.5 million email archive files publicly exposed due to improper backup procedures, and wouldn't need to breach an organisation's security in order to do so.

"One issue that this research particularly highlights is the risk posed by third parties and contractors, who are often forgotten about by businesses and security teams when it comes to defending your network and data," Digital Shadows' strategy and research analyst Rafael Amado told IT Pro.

"Often, short-term workers will back up their files and emails on personal NAS drives and leave this misconfigured.

"This issue goes beyond email account compromises. Businesses need to have a better understanding of where all their sensitive data resides and who has access to it. Third parties and suppliers are an important component of this."

Digital Shadows found a wealth of data exposed across misconfigured servers including rsync sites, file transfer protocol (FTP) servers, server message block (SMB), Amazon Web Services (AWS) S3 buckets, and NAS drives. The majority of these files, some 8.5 million, are .EML, while the rest comprise .MSG, .PST, .MBOX and .OST.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Some of these emails are incredibly sensitive, with analysts finding in one instance a whole accounting firm's email correspondence with clients made publicly-available including thousands of invoices and tax returns.

This latest research follows Digital Shadows' findings earlier this year that 12,000TB of data was found publicly exposed in the first three months of 2018 on misconfigured rsync sites, FTP servers, SMB, ASW S3 buckets, misconfigured Websites (WebIndex), and web-connected NAS drives.

The FBI earlier this year estimated that the damage to businesses from the practice known as business email compromise (BEC), including fake invoices and wire fraud, globally cost businesses $12 billion over the last five years.

Once compromised, businesses' financial details are frequently shared and traded on criminal forums and on the dark web.

Hacking services are available for as low as $150, but finance department credentials are lucrative, with Digital Shadows finding individuals offering up to $5,000. Many are searching for company emails that contain ap@, ar@, accounting@, and invoice@, among other terms.

A forum user offering hacking services from as little as $150

Advertisement - Article continues below

Alongside services for acquiring business emails, malicious actors are known to offer between $150 and $500 per compromised businesses email. Some accounts, however, such those based on open web-based email services are more expensive than closed ones.

Through covert interactions, Digital Shadows' analysts engaged with one Russian-speaking threat actor who sought sensitive data from email archives.

In this case study outlined in the research, analysts learned the attacker wanted emails from accounting departments of specific targets and was searching specifically for accounts with accountspayable@, accountsreceivables@, payables@ and receivables@.

Some Dark Web users are paying up to $5,000 for hacked email accounts

The attacker specified 100 targets in this campaign, including organisations in construction (56), education (18), property (10) sectors, as well as 15 other companies. The majority of these were based in the UK, Australia, and Singapore.

"Business Email Compromise is becoming increasingly profitable for threats actors, who are conducting highly targeted campaigns," the research said. "Unfortunately, we're making it easy for adversaries to gain access to the precious information that sits within email inboxes."

Advertisement - Article continues below

Digital Shadows recommended seven steps for employees and businesses to take to bolster their protection against BEC. These include updating security awareness training to include such scenarios, as well as building them into contingency plans.

Analysts also recommended that manual controls be implemented in wire transfer applications which can monitor for exposed credentials.

But above all, preventing email archives from being publicly exposed is crucial. Risks can be mitigated by using strong, unique passwords and disabling guest access, as well as whitelisting IP addresses if an internet connection, or passwordless-access, is needed.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020