Hacker selling access to email accounts of hundreds of C-suite execs | Imagine the damage a Geo-Poli-Cyber motivated hacker can do with such info

Access is being sold for $100 to $1500 per account, depending on the company size and exec role.

A hacker is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world.

The data is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.in.

The seller is offering email and password combinations for Office 365 and Microsoft accounts, which he/she claims are owned by high-level executives occupying functions such as:

  • CEO – chief executive officer
  • COO – chief operating officer
  • CFO – chief financial officer or chief financial controller
  • CMO – chief marketing officer
  • CTOs – chief technology officer
  • President
  • Vice president
  • Executive Assistant
  • Finance Manager
  • Accountant
  • Director
  • Finance Director
  • Financial Controller
  • Accounts Payables

Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user’s role.

hacker-cxos.png
The seller’s ad on Exploit.in

An authenticated source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.

The source, which requested his name not be shared, is in the process of notifying the two companies, but also two other companies for which the seller published account passwords as public proof that they had valid data to sell.

These were login details for an executive at a UK business management consulting agency and for the president of a US apparel and accessories maker.

hacker-cxos-proof.png
Sample login provided by the seller as public proof

The seller refused to share how he/she obtained the login credentials but said he/she had hundreds more to sell.

According to data provided by threat intelligence firm KELA, the same threat actor had previously expressed interest in buying “Azor logs,” a term that refers to data collected from computers infected with the AzorUlt info-stealer trojan.

Infostealer logs almost always contain usernames and passwords that the trojan extracts from browsers found installed on infected hosts.

This data is often collected by the infostealer operators, who filter and organize it, and then put it on sale on dedicated markets like Genesis, on hacking forums, or they sell it to other cybercrime gangs.

“Compromised corporate email credentials can be value to Cyber criminals who seek to monetize them. But they can be even of greater value to Geo-Poli-Cyber hackers who are not financially motivated but determined to advance their political, ideological, terrorist and extremist agendas. Hacking a business to cause maximum damage possible because it belongs to a nation the hacker sees as an enemy is a great scalp to flaunt. They often launch recruitment drives on the back of such cyber success,” said MLi Group Cyber-Survivability expert.

“Attackers can use them for sensitive internal communications and instructions as part of a ‘CEO scam’ to get employees into wiring large sums of money; they can be used to access highly classified or sensitive information in order to extort or coerce. Such credentials can also be exploited in order to gain access to other internal systems that require email-based two factor authentication which can give them lateral access to the organization and conduct a more sinister network breach and cause immense damage,” the expert added.

If you have concerns about being of of those victim companies or similar threats, contact MLi Group about its comprehensive or focused Cyber Survivability & Security Audits.


Are you Citizen-Journalist Material?

Have a tip or scoop? Do you have info about corruption that needs to be investigated and responsibly exposed ? Get in touch securely via WhatsApp at +44 7771 927378 | Signal at +447766 098270


Receive Exclusives, Features & News Updates

Subscribe



What Are
Geo-Poli-
Cyber™ Risks?

What Is Geo-Poli-Cyber™?

MLi Group created the terms Poli-Cyber™ and Geo-Poli-Cyber™ (GPC™) in 2012 and 2013 based on the philosophy that if you cannot identify and name the threat, you cannot mitigate that threat.

Geo-Poli-Cyber™ attacks are political, ideological, terrorist, extremist, ‘religious’, and/or geo-politically motivated.

Click to read more