Millions of business email accounts openly accessible, report claims

Image credit: iStockphoto

Many organisations could be exposing themselves to threats such because their business email inboxes are openly accessible on the web, a new report has warned.

Research by Digital Shadows found that although phishing remains a common means of using email to attack a business, cyber criminals are now using a wide variety of tactics in order to gain access, and in many cases, firms are making this easy for them by not adequately securing their email accounts.

The firm's research found that in some cases, entire company email inboxes have been exposed as a result of misconfigured rsync, FTP, SMB, S3 buckets and NAS drives. It discovered more than 12 million email archive files in formats such as .eml, .msg, .pst, .ost and .mbox.

By improperly backing up these archives, employees and contractors are unwittingly exposing sensitive, personal and financial information, the company continued. For example, it found 27,000 invoices, 7,000 purchase orders and 21,000 payment records in publicly-accessible archives.

Rick Holland, chief information security officer at Digital Shadows, said: "Phishing continues to be a very serious problem associated with business email compromise but unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down."

Indeed, Digital Shadows noted that business email compromise is now available online 'as a service' for as little as $150 (£115) and can provide results in less than a week.

The research also found that finance professionals are especially vulnerable to this type of cyber crime. It revealed that 33,568 finance department email addresses have been exposed in third-party breaches and are circulating on criminal forums. What's more, 83 per cent of these (27,992) have passwords associated with them.

Digital Shadows explained this may be because criminals are specifically searching for company emails that contained common accounting domains such as 'accounting', 'accountreceivable@', 'accountpayable@' and 'invoice@'. It noted these credentials are considered so valuable that one individual was offering up to $5,000 for a single username and password pair.

"Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online. With the right knowledge, it is relatively easy for cybercriminals to find whole email boxes and accounting credentials – indeed, we found criminals actively looking for them," Mr Holland continued.