Everyone responsible for securing organisations today recognises the significant growth in BEC (Business Email Compromise) attacks, also sometimes known as “Whaling” or “CEO fraud”.
BEC scammers trick accounting and finance departments into wiring considerable amounts of money into bank accounts under their control, posing as genuine suppliers invoicing for services delivered, or senior company executives.
Individually, some firms have lost millions through the scam emails, and the FBI has estimated that globally over the past five years firms have lost a jaw-dropping $12 billion as a result of the scams.
There is clearly a lot of money to be made by criminals through business email compromise – and that’s why it’s so important that those tasked with securing organisations against threats are aware of any changing trends in the scammers’ behaviour.
New research has revealed that business email compromise is being made easier for any criminal to add to their arsenal.
Researchers at threat intelligence firm Digital Shadows report that companies don’t even need to be hacked to spill their address books and email archives. Careless backups of email archives on publicly-accessible rsync, FTP, SMB, S3 buckets, and NAS drives have exposed some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information.
The researchers found over 50,000 email files that contained terms such as “invoice”, “payment”, or “purchase order” terms in misconfigured or unauthenticated file stores. In some cases, the email archives have even contained passport scans.
It’s clear that an attacker doesn’t need to perform an account takeover to gain access to the contents of an inbox. As a result, the barrier for entry for a potential BEC scammer is going to be much lower when such sensitive information is available freely on the web, thanks to the careless backup practices of (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Graham Cluley. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/bec-as-a-service-offers-hacked-business-accounts-for-as-little-as-150/