A hacker is selling passwords belonging to hundreds of executives across the world. The data is being sold on a closed-access Russian speaking hacker forum exploit.in, a site popular with cybercriminals, according to ZDNet. The hacker is selling the stolen details to scammers interested in carrying out business email compromise (BEC) scams. Fraudsters execute BEC scams by impersonating business executives and manipulating internal employees and clients to wire money to accounts owned by the scammers.
Business executive roles affected by the data breach
The threat actor demanded $100 to $1,500 for the stolen credentials based on the company size and the executive’s role. The compromised data belongs to individuals occupying the following job titles:
Chief Executive Officer (CEO)
Chief Financial Officer Or Chief Financial Controller (CFO)
Chief Marketing Officer (CMO)
Chief Operating Officer (COO)
Chief Technology Officer (CTO)
Breached data originated from Microsoft Office 365 accounts
The threat actor is selling email and password combinations for Office 365 and Microsoft accounts. The credentials’ validity was confirmed using data leaked from an American CEO of a medium-sized software company and an EU retail chain store CFO.
Threat intelligence firm, KELA, said the threat actor had also expressed interest in buying Azor logs, a term referring to data exfiltrated from computers compromised by AzorUlt trojan. The malware extracts usernames and passwords from browsers infected with the info-stealer.
However, the hacker was banned from the forum, according to threat intelligence firm Vigilante. The reason for the ban was to avoid generating unnecessary attention to the underground hacking forum.
Javvad Malik, Security Awareness Advocate at KnowBe4, says the security breach could remain long after the emails’ passwords were changed.
“With access to an executive’s email, there is no limit to what a criminal can do. Not only can they send out phishing emails on behalf of the exec to defraud the company or its customers, but they can set up email rules which automatically forward emails to an external email address. These rules will remain functioning even if the account password is changed.
Malik suspects that the details were captured through phishing or password reuse across several websites.
“Which is why it’s important for all employees, including execs to practice good credential hygiene by using unique and individual passwords for each account, enabling MFA (multi-factor authentication) if available, and regularly monitoring the account to see if there have been any rules set up or any sessions are active which look out of place,” says Malik.
Affected businesses facing higher risks of BEC scams
Once sold, the account details could be used for BEC scams or CEO scam attacks, costing billions of dollars annually.
Cybercriminals impersonate business executives during such attacks and coerce internal employees or clients to wire money to accounts controlled by the fraudsters.
Apart from BEC scams, attackers could use the stolen email account login credentials to carry out spearphishing attacks targeting specific victims.
Additionally, the fraudsters could use the stolen credentials to access other accounts or demand confidential information from naïve employees. Such information could be damaging to the company or third-parties, especially for sensitive businesses such as law firms. Cybercriminals could blackmail businesses and individuals by threatening to release potentially damaging information.
Despite their potency, companies could prevent BEC scams through two-factor authentication (2FA) or two-step verification security mechanisms.
However, combining other verification methods with 2FA is recommended because hackers could possibly bypass the two-factor authentication method. In 2019, a cyber attacker auctioned a process that could bypass 2FA for American banks with a 70-90% accuracy. The hacker was selling the exploit kit for $5,000 on the same hacker forum, exploit.in.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, says that BEC scams are highly successful because of various social engineering techniques applied.
“An employee that receives a message from the CEO requesting urgent action may quickly comply no matter how unusual the request. An additional risk arises when executives have administrative privileges to a company’s applications or networks that can be very damaging in the hands of a cyber-criminal.”
Clements adds that the threat level is higher if the compromised individuals have the authority to transfer money or influence the organization’s operations. He advises organizations and employees to practice good password hygiene.
“To protect themselves, organizations must adopt a culture of security, starting with executive leadership, including ensuring that management employees choose strong passwords and not reuse them across multiple websites or applications.”
Employees must also follow proper verification procedures by confirming unusual requests with their supervisor, according to Clements. Additionally, separating administrative accounts from daily computing accounts would help reduce the risks of successful business email compromise attacks.
“Finally, it is important that organizations ensure that their financial institutions require telephone verification for any monetary transfers over a certain amount.”