Access to hundreds of email accounts belonging to the highest executive ranks at enterprises across the world are being sold by a cybercriminal online.

The hacker responsible is currently selling email account passwords on a private underground forum used by Russian-speaking threat actors known as Exploit.in. The price of the credentials ranges from between $100 and $1,500, in line with the scale of the enterprise and the level of the executive. The cybercriminal is offering up combinations comprising an email address and password for both Microsoft and Office 365 accounts, and claims they belong to a wide range of top executives.

The functions of the individuals involved include Chief Executive Officer (CEO), Chief Operating Officer (COO), Chief Financial Officer (CFO), Chief Technology Officer (CTO), President, Director, Vice President, Finance Controller and Finance Manager.

Undercover cybersecurity operations

Recently, an undisclosed source working inside the cybersecurity community and in contact with technology news website ZDNet contacted the hacker, pretending to be a buyer in order to acquire samples of the access credentials. They confirmed that the samples they obtained were valid and involved credentials for email accounts belonging to two high-level executives. The first was the CEO of a medium sized firm based in the US, dealing with software. The second belonged to an EU retail chain’s CFO.

ZDNet’s source informed it that they were contacting not just the pair of companies involved in the samples, but another two firms as well. These additional enterprises were detailed in the hacker’s advertisement and offered as proof of validity. These credentials involved the login details for the president of a US accessories and apparel manufacturer, and an executive at a consultancy for business management here in the UK.

Intelligence on cyberthreats

The hacker behind the sales has openly boasted of possessing hundreds of available login credentials to sell, but has refused to impart how the data was originally obtained.

Data presented by KELA, the cyberthreat intelligence company, indicates that the same hacker has a history of seeking to purchase “Azor logs”. This term is given to illegally collected information from devices previously infected with the data stealing trojan horse known as AzorUlt. Logs from “Infostealers” nearly always include account passwords and usernames extracted by trojans.

KELA Product Manager, Raveed Laeb, commented on the value of executive credentials to cybercriminals:

“Attackers can use them for internal communications as part of a ‘CEO scam’ – where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme; or, these credentials can also be exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion.”

The vulnerable data is commonly collected by dedicated Infostealer operatives, who filter and collate the sensitive information before putting it up for sale on built-for-purpose black markets on hacking forums online, or simply selling it on to interested cybergroups to use in schemes like business email compromise (BEC) scams.