According to an analysis by Digital Shadows found that enterprise e-mail accounts can be compromised without the need for advanced hacking skills, seeing that they found 12,5 million email archive files publicly available on the web.
Moreover, although phishing campaigns are usually behind most Business Email Compromise (BEC) and Email Account Compromise (EAC) incidents, there's also the choice of scouring the Internet for exposed e-mail accounts.
Digital Shadows threat researchers were able to find 33,000 email credentials of finance departments from various enterprises exposed to unauthorized access, with 27,992 (83%) of them also coming with the password information attached.
"Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online," said Rick Holland, Digital Shadows' CISO. "With the right knowledge it is relatively easy for cybercriminals to find whole email boxes and accounting credentials – indeed we found criminals actively looking for them."
As the US Federal Bureau of Investigation (FBI) reported on July 12, the domestic and international exposed dollar loss reached a staggering $12,536,948,299 between October 2013 and May 2018, with 41,058 US victims and 2,565 non-US in total.
The threat intelligence company was able to find more than 12 million unprotected e-mail archives on misconfigured servers
Also, between December 2016 and May 2018, the FBI reported that the identified global exposed losses increased by 136% increase following a similar pattern in the number of e-mail compromise incidents reported worldwide.
E-mail compromise attackers usually target business and individual e-mail accounts using phishing and social engineering with the final goal of being able to unlawfully transfer funds to accounts they control.
Digital Shadows found out during their analysis that bad actors who want to target an enterprise's e-mail systems don't even need hacking experience since there are enough e-mail hacking "service providers" that ask as little as $150 to compromise a target's e-mail account.
Additionally, more than 12 million different unprotected e-mail archive files (.eml, .msg, .pst, .ost, .mbox) can be accessed through misconfigured servers and cloud storage accounts, exposing sensitive personal or financial info to threat actors scouring the web for such opportunities on a daily basis.
As mitigations measures against BEC and EAC incidents, Digital Shadows recommends a lot more attention in configuring Internet-facing storage devices and cloud accounts, making sure that wire transfers can only be performed using manual controls, BEC training for company staff, as well as closely monitoring for exposed e-mail credentials.