How much are a CEO’s email credentials worth? According to one hacker, anywhere between $100 and $1,500 will do, although the specific price will be set depending on the company’s size and the person’s role in it. Unfortunately, this is not a drill: There are purportedly hundreds of C-suite level email credentials being sold on a Russian-speaking underground forum, ZDNet reported on Friday.
ZDNet found that the hacker is selling email and password combinations for Office 365 and Microsoft accounts belonging to high-level executives such as the CEO, COO, CFO, CMO and CTO, among many others. The hacker posted an ad for the credentials on Exploit.in, an underground forum for Russian-speaking hackers, along with login information for an executive at a UK business management consulting agency and for the president of a U.S. apparel and accessories maker as a way to prove his offering was legitimate.
Per the report, ZDNet worked with an unnamed source in the cybersecurity community who contacted the hacker to obtain samples of the data being offered. The source gained access to valid login information for two Microsoft accounts. One of them belonged to the CEO of a medium-sized U.S. software company and the other belonged to the CFO of a retail store chain based in the EU.
The outlet reported that the cybersecurity source has confirmed the validity of the data. The source is in the process of notifying all the companies that their executives’ email credentials have been compromised.
Gizmodo reached out to Microsoft to ask it to verify the report and describe any actions taken.
“We are aware of the report and will do what is necessary to help support our customers,” a Microsoft spokesperson told Gizmodo via email. “We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. To increase security we recommend taking additional steps like turning on multi-factor authentication.”
Microsoft also pointed Gizmodo to its online safety resources page.
Although it’s not clear how the hacker obtained the hundreds of Microsoft email credentials he’s peddling, the cyber intelligence firm KELA offered a possible clue. KELA told ZDNet that the same hacker had in the past expressed interest in buying “Azor logs,” a reference to data collected from the AZORult trojan malware. AZORult steals data from compromised systems, including saved passwords from browsers and email, Skype message history, files from chat history, and desktop files, among many others.
Raveed Laeb, a product manager at KELA, told ZDNet that corporate email credentials can be exploited by cyber criminals in many ways.
“Attackers can use them for internal communications as part of a ‘CEO scam’—where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme; or, these credentials can also be exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion,” Laeb said.
As noted by ZDNet, the best way to protect yourself from these types of attacks is by enabling two-factor authentication, also known as multi-factor authentication. MFA requires you to present two pieces of evidence in order to gain access to your account. This means that a hacker would need to steal, for example, your credentials and your phone in order to be able to do something with them.
Do people do this though? Apparently not. At the beginning of the year, Microsoft stated that out of all the enterprise accounts hacked, only 11% had MFA enabled.
Update 11/28/2020, 11:55 p.m. ET: This post has been updated with additional comment from Microsoft.