• by Ray Schultz , October 4, 2018

Email security firm Digital Shadows found over 12 million company email archive files exposed and publicly available during research into business email threats.

These files — .eml, .msg, .pst, .ost, .mbox — were found in misconfigured rsync, FTP, SMB, S3 buckets, and NAS drives that were improperly backed up.

Exposed were 27,000 invoices, 700 purchase orders and 21,000 payment records.

The research found that 33,568 finance department email addresses were exposed in third-party breaches, and are available on criminal forums.

Cyber criminals search for common accounting domains such as “ap@,” “ar@”, “accounting@,” “accountreceivable@,” “accountpayable@” and “invoice@.”

So valuable are these credentials that the company also found cybercriminals offering up to $5,000 for a single username and password pair, Digital Shadows reports. Indeed, attackers are now “collaborating with each other to target specific companies,“ states Rick Holland, chief information security officer at Digital Shadows.

In addition, business email compromise can now be outsourced, with would-be felons paying as little as $150. Results are available within a week.

In a sting of sorts, Digital Shadows engaged with one such vendor in the construction sector via the Jabber instant message service, and was offered a 20% cut of the total proceeds of an attack campaign.

“Phishing continues to be a very serious problem associated with business email compromise but unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down,” Holland says.

He adds: “With the right knowledge it is relatively easy for cybercriminals to find whole email boxes and accounting credentials — indeed we found criminals actively looking for them.”

The FBI estimates that business email compromise attacks made up of fake invoice and wire-fraud schemes have cost firms across the globe $12 billion in the last five years, the company adds. 

Digital Shadows recommends that firms update security awareness training, continuously monitor for exposed credentials and track executives’ digital footprints.

It also suggests that companies include BEC in incident response planning, work with wire transfer application vendors to build manual controls and prevent email archives from being publicly exposed.

Finally, it advises firms to monitor contractors who back up their emails on Network Attached Storage devices.

Holland concludes that ”organizations can never mitigate these issues entirely; however, it is within their power to at least tighten up on their own processes to ensure that their data exposure is kept to a minimum.”