BEC scams, hacked accounts available from $150 up to $5,000

Pierluigi Paganini October 09, 2018

Security experts from Digital Shadows have conducted an interesting study about the technique adopted by crooks to infiltrate company emails, so-called BEC scam.

According to the FBI, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.

Business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 2018, in the same period overall BEC/EAC losses result in $12 billion.

Experts from Digital Shadows highlighted the availability of huge archive online that could be used by crooks to target the companies. It is quite easy to find online AWS buckets containing backups of email archives, the same data could be found on publicly-accessible rsync, FTP, SMB, and NAS drives.

The experts estimated that some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information have been exposed online.

“Digital Shadows detected 33,568 email addresses of finance departments exposed through third party compromises. Eighty-three percent (27,992) of these emails had passwordsassociated with them. If these passwords have been reused for corporate accounts, this may leave organizations at risk to account takeovers.” reads the report published by Digital Shadows.

Experts found over 50,000 email files that contained terms such as “invoice”, “payment”, or “purchase order” terms in misconfigured or unauthenticated file stores.

In some cases, the compromised email archives included also passport scans. According to the report, crooks use to search for company emails that contained “ap@”, “ar@”, “accounting@”, “accountreceivable@”, “accountpayable@”, and “invoice@”.

Company credentials are a valuable commodity in the cybercrime underground, they are offered up to $5,000 for a single username and password pair.


The growing interest of cybercriminals in BEC scams has driven the growth of BEC-as-a-Service,  this kind of services is widely available for as little as $150.

“It’s possible to outsource this work to online actors, who will acquire company credentials for a set fee or percentage of earnings. The price will vary depending on the type of mail service, but services are available from as little as $150.” continues the report.

Experts warn that BEC attacks are a global problem, email archives are exposed predominantly across the European Union (5.2 million), North America (2.9 million), and Asia-Pacific (2 million).

In order to reduce the risk, Digital Shadows experts recommend the following measures to organizations:

  • Update security awareness training content to include the Business Email Compromise (BEC) scenario
  • Include BEC within incident response/business continuity planning
  • Work with wire transfer application vendors to build in manual controls, as well as multiple person authorizations to approve significant wire transfers
  • Continuously monitor for exposed credentials. This is particularly important for finance department emails
  • Conduct ongoing assessments of executives’ digital footprints – threat actors will perform their reconnaissance on high-value targets. Start with using Google Alerts to track new web content related to them
  • Prevent email archives being publicly exposed
  • Businesses should be aware of the risks of their contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default.

Below the key findings of the report:

  • Corporate email accounts can be compromised for as little as $150
  • A look inside the planning of a targeted Business Email Compromise campaign
  • More than 33,000 accounting email credentials are exposed
  • 12.5 million email archive files are exposed across online file stores
  • The risks of BEC can be mitigated with a range of security measures
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – cybercrime, fraud)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment