Millions of business email accounts openly accessible, report claims
Many organisations could be exposing themselves to threats such because their business email inboxes are openly accessible on the web, a new report has warned.
Research by Digital Shadows found that although phishing remains a common means of using email to attack a business, cyber criminals are now using a wide variety of tactics in order to gain access, and in many cases, firms are making this easy for them by not adequately securing their email accounts.
The firm's research found that in some cases, entire company email inboxes have been exposed as a result of misconfigured rsync, FTP, SMB, S3 buckets and NAS drives. It discovered more than 12 million email archive files in formats such as .eml, .msg, .pst, .ost and .mbox.
By improperly backing up these archives, employees and contractors are unwittingly exposing sensitive, personal and financial information, the company continued. For example, it found 27,000 invoices, 7,000 purchase orders and 21,000 payment records in publicly-accessible archives.
Rick Holland, chief information security officer at Digital Shadows, said: "Phishing continues to be a very serious problem associated with business email compromise but unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down."
Indeed, Digital Shadows noted that business email compromise is now available online 'as a service' for as little as $150 (£115) and can provide results in less than a week.
The research also found that finance professionals are especially vulnerable to this type of cyber crime. It revealed that 33,568 finance department email addresses have been exposed in third-party breaches and are circulating on criminal forums. What's more, 83 per cent of these (27,992) have passwords associated with them.
Digital Shadows explained this may be because criminals are specifically searching for company emails that contained common accounting domains such as 'accounting', '[email protected]', '[email protected]' and '[email protected]'. It noted these credentials are considered so valuable that one individual was offering up to $5,000 for a single username and password pair.
"Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online. With the right knowledge, it is relatively easy for cybercriminals to find whole email boxes and accounting credentials – indeed, we found criminals actively looking for them," Mr Holland continued.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.