Hand holding a digital dollar symbol

Cybercrime marketplaces are increasingly selling stolen corporate email addresses for as little as $2 to meet a growing demand from hackers who use them to compromise business emails and attack phishing or initial access to networks.

Analysts at Israeli cyber-intelligence firm KELA have been tracking the trend closely, reporting at least 225,000 email accounts for sale in underground markets.

The biggest webmail shops are Xleet and Lufix, which claim to offer access to over 100,000 hacked corporate email accounts, with prices ranging from $2 to $30 or even more for highly desirable organizations.

Webmail Shop Offers
Webmail Shop Offers (KELA)

Typically, these accounts were stolen through password cracking (brute-forcing) or credential stuffing, their credentials were stolen through phishing or bought from other cyber criminals .

Hackers use their access to corporate email accounts in targeted attacks such as business email compromise (BEC), social engineering, spear phishing, and deeper network infiltration.

Rise of auto-shop webmails

Sales of corporate email access have remained flat in the cybercrime space over the past two years, with threat actors on all major hacking forums selling “combined lists” of emails. emails to access various companies.

Combo List Sold on Breached Forums
Combo listing sold on ‘Breached’ forums (KELA)

In a recent high-profile case, the “Everest” ransomware actor offered alleged access to an aerospace manufacturing company’s email accounts for $15,000.

Bundled and organized offers involve the tedious process of negotiating with the seller and taking risks on the validity of claims. At the same time, the demand for business emails continues to grow.

This has created the need for automated webmail shops like Xleet, Odin, Xmina, and Lufix, which allow cybercriminals to easily purchase access to email accounts of their choosing.

The main page of the Xleet store
The main page of the Xleet store (KELA)

“Many of these stores offer advanced features, such as ‘proofs’ that webmail access is working,” explains KELA in the report.

“This evidence includes live verification of email to verify access or viewing a screenshot of the compromised account’s inbox.”

The integrated checkerboard system on all four stores
The integrated checkerboard system on the four stores (KELA)

The most attractive offers are Office 365 accounts, which account for nearly half of all webmail listed, followed by hosts like cPanel, GoDaddy and Ionos.

Suggested email account providers
Suggested email account providers (KELA)

The sellers of these shops do not use aliases but hide behind a masking system assigning them numbers. Odin offers more details about sellers, such as number of items sold, total sales, and user ratings.

Contact details of the seller on Odin
Contact details of the seller on Odin (KELA)

Odin and Xleet also clarify the source of webmails, with categories such as “hacked”, “cracked”, “logs” or “created”. However, the majority (98%) of Xleet have either been ‘hacked’ or ‘cracked’.

“Logs” are email ids stolen by information-stealing malware, while “created” are new email accounts that network intruders have created on the hacked company using email accounts. administrator compromised.

The rise of these markets makes it imperative to enforce periodic password resets across all services and platforms to render compromised credentials useless.

Since most webmails offered are cracked or hacked, using strong (longer) passwords and training staff to identify phishing emails would help reduce these threats significantly.


Source link