The closed Russian-language cybercriminal forum Exploit.in sells access to hundreds of email inboxes of company directors around the world. According to ZDNet, combinations of usernames and passwords of Office 365 and Microsoft users are on sale, according to the seller, belonging to company presidents, their assistants and deputies, as well as general, executive, financial and technical directors, accountants, etc. The cost of access is from $ 100 up to $ 1,500 per account depending on company size and user title.
An anonymous source of ZDNet from the cybersecurity community, who agreed to contact the seller and get sample credentials, confirmed their authenticity. In particular, he was provided with the credentials of two users – the CEO of a mid-sized American software company and the CFO of a European retail chain.
In addition, as proof of the authenticity of the credentials, the seller posted on the forum the logins and passwords of two more users – the CEO of a British consulting agency and the president of an American manufacturer of clothing and accessories. The seller refused to explain where he got the logins and passwords, but said that he had several hundred.
According to the information security company KELA, the same cybercriminal had previously shown an interest in acquiring the so-called Azor logs. This term is used to refer to information stolen from computers by the AzorUlt infostealer. Info-stealer’s logs almost always contain usernames and passwords extracted from browsers on infected hosts. Typically, malware operators filter stolen information, organize it and put it up for sale on specialized forums or sell it to other cybercriminals.
Attackers can use stolen logins and passwords of top management of companies to send fake letters to their subordinates, for example, with instructions to transfer large sums of money to certain accounts. In addition, they can be used to gain access to confidential information stored in the mailbox and use it for blackmail. Stolen credentials can also be used to gain access to other internal systems that require email-based two-factor authentication in order to navigate an organization’s network and carry out further attacks.