Research by digital risk management and threat intelligence firm Digital Shadows has revealed that company credentials and emails that can be easily accessed on the web are making it easier for cyber-criminals to target businesses with attacks.
What’s Are The Problems?
According to the research, businesses may be suffering targeted attacks because several key problems that are caused by the results of previous hacks and breaches, and by current poor security practices. These problems are that:
- Around 12.5 million company email archive files are publicly accessible due to misconfigured archive storage drives e.g. FTP and Amazon S3 buckets. Business emails contain sensitive personal and financial information e.g. the research uncovered 27,000 invoices, 7,000 purchase orders and 21,000 payment records. These things are valuable to cyber-criminals as they help them to target attack methods such as phishing.
- Improper backing-up of email archives has contributed to their exposure online.
- Criminal forums e.g. on the dark web, now contain some 33,568 finance department email addresses that have been exposed in third-party breaches, 27,992 of which have passwords associated with them. These forums also contain large numbers of the business of email access credentials, some of which are reported by the research to be worth $5,000 for a single username and password pair to cyber-criminals.
- Email hacking services can be purchased for as little as $150, with results available in a week or less. The researchers were even offered a 20% share of the proceeds that could be harvested from exploiting email vulnerabilities.
What Does This Mean For Your Business?
Business email credentials have a high potential return on investment to cyber-criminals, and therefore have a high value, which is why many cyber-criminals feel that it is worth looking for them and paying substantial amounts for them on criminal forums. The high value may mean that criminals may even collaborate to target larger organisations. Hacks and breaches over time, together with the subsequent buying and selling of the stolen email credentials may mean that many businesses are exposed to multiple types of email attack such as phishing, and man-in-the-middle attacks without even knowing it.
One thing the research does show is that by tightening up email security practices, businesses could reduce the risks that they face. Measures that companies could take to help reduce such risks include:
- Including business email compromise (BEC) in business continuity planning and disaster recovery planning.
- Strengthening wire transfer / BACs controls by e.g. building-in manual controls and as well as multiple-person authorisations to approve significant amounts.
- Improving staff training to enable them to follow practices that minimise company email and other security risks.
- Continuously monitoring for any exposed credentials (particularly those of finance department emails), and conducting assessments of executives’ digital footprints e.g. using Google Alerts to track new web content related to them.
- Preventing email archives from being publicly exposed e.g. by making sure that archive storage drives are configured correctly.
- Being very careful where contractors back-up emails on network-attached storage (NAS) devices is concerned. Making users have passwords, disabling guest / anonymous access, and insisting on NAS devices that are secured by default could help.