The business behind a hacked email account

Pierluigi Paganini June 13, 2013

Which is the commercial value of a hacked email account in the underground? How cybercriminals use a compromised email account? Why do they have to hit me?

Which is the commercial value of a hacked email account in the underground?

Brian Krebs has recently published a valuable post on commercial value for a hacked email account, common people hardly covers the economic model behind the theft of these commodities. During one of my last participation to a TV show the  journalist asked me why hackers target also email account of ordinary people, this post could help to understand how cybercrime monetizes a hacked email account.

In today society email accounts are considered transit points for a countless amount of information, if a criminal logging into user’s account ha is able to discover a victim’s network of contacts, examine his habits, find information about his expenses (e.g. Travel, books, etc.) and then use the hacked email account to gain the access to other accounts in use by the victim to access other web services. Each email account is a mine of information whose value is understood only when a hacker violate it, but generally is too late to avoid problems.

The Kreb’s post highlighted the importance to properly protect our email account, they are part of our digital identity and must be protected by continuous attacks, into the cybercrime underground many  sellers propose collection of hacked email accounts and many cases the offer is profiled according users’ needs. There are forums specialized in the sale of email accounts for sectors such as defense or industry, meanwhile other commercialize lists also accounts to use for generic phishing attacks.

The analysis of price lists provides interesting insights from security experts, following data related various offers and cost each account

  • ITunes account for $8
  •, and accounts for $6. 
  • for $5  
  • Hosting provider for $4
  • Wireless providers,,, and for $4.
  • Facebook and Twitter for  $2.50.

The market for stolen credentials is very prolific, active accounts at,,,, and are sold for a price comprised between 1$ and 3$.

 hacked email account graph


As explained a hacked Email account is very attractive for cyber espionage purpose to gather information on other accounts directly connected,  it could be also used for spamming malicious code or to realize more or less tricky fraud based on social engineering technique. As explained by Krebs an individual could receive a message from his contact, the hacked email account, that asking him to  wire money somewhere claiming the owner of the account  were left without money in some part of the globe.

Analyzing a hacked email account hacker could also gather software license key in case the victim had paid for it,  but another concerning threat is represented by the possibility to exploit the compromised account to obtain the access to cloud file-storage services such as Dropbox, Google Drive or Microsoft Skydrive.  Web storage are another attractive target for cybercriminals, users backup, often in clear, any kind of information on them such as pictures, documents and music.

Not rarely is the hack of financial institution via email, as exposed in the postchances are decent that your account will eventually be used in an impersonation attempt to siphon funds from your bank account.

To protect email accounts many service providers (, Hotmail/Live.comand are implementing multi-factor authentication processed, same choice is shared by other service providers such as Facebook, Twitter and LinkedIn.

Most common 2FA still do not protect completely users from the hacking of their accounts. As I wrote in a previous post on the topic the 2FA could be abused if not properly implemented and it can be bypassed by malware specifically designed.

A Few weeks ago Group-IB published a research on cybercrime activities noting that senior management is considered among most privileged targets. The specific targets of hackers are IT-administrators and IT-managers, as most of them have full access to the company’s infrastructure, which means that if they will be compromised, the attackers may gain access to different information resources, including corporate e-mails.

cybercrime hit senior management

In the above image is reported a post from an underground forum that demonstrates the hacker’s interest to confidential data on CEO and top management of different well known brands, following the translation from Russian:

“Will buy information about the following companies: 

Linkedin, Verizon, GoDaddy, British American Tobaco, Dupont, Pepsi,, Facebook (private companies) 

– Commerzbank, Reiffeisen, RBS, Bank of America, Wells, Wachovia, Citibank + any russians, having online-banking

Interested in email + password, any stolen accounts of its employees in social networks (Facebook + Linkedin), will pay good, before selling need to have a garant and checking.

Interested in hacked accounts and data on:

sustem administrators;

top managers (operational managers, heads of the departments)

Reach me only through PM, confidential and in 1 hands

WIll talk only under OTR/NDC encryption in Jabber, don’t use ICQ “

Also researchers at Group-IB confirmed that there is great market of confidential data trading, mostly it is used by competitive entities for intelligence in same segment of market, by big players on the market for struggling, and hackers as well.

According to the statistics, the most valuable types of information well traded on the black market are:

  • Annual accounting balances and financial reports;
  • Project plans and strategies of the company for several years;
  • Intellectual property and innovations used for successful business;
  • Customers databases and partners’ contacts (CRM);
  • Employees databases (Intranet systems);
  • Credentials to corporate e-mails and personal e-mails of employees;
  • Internal network infrastructure and its specifics.

I left as last reflection the possibility to use hacked email account to gather access to payment systems such as Paypal, on daily basis cybercriminals get access to tens of thousands of accounting credentials across multiple online payment processing services commercializing them in the underground.

Recently Dancho Danchev spotted a newly launched underground E-shop that’s exclusively selling access to hacked PayPal accounts.

hacked email account for sale PayPal


The stolen data include email account and a series of useful information on the victim’s account such as verified/not verified account, type of account, Card confirmed or not, Bank confirmed or not, Balance, First name of the victim, the country of origin, and of course the selling price.

This post has primary intent to explain various ways cybercriminal use a hacked email account, this precious information fuel a growing underground economy, if you believe that your email account is of no interest … you‘re wrong!

Pierluigi Paganini

(Security Affairs – Email, Cybercrime)

you might also like

leave a comment