The cybercrime market is increasingly selling stolen corporate email addresses for as little as $2. This is to meet the growing demand that hackers use to compromise business email, phishing attacks, or for initial access to networks.
Analysts at Israeli cyber-intelligence firm KELA have been following the trend closely, reporting that at least 225,000 email accounts have been sold on the underground market.
The largest webmail shops are Xleet and Lufix, which claim to provide access to over 100,000 compromised corporate email accounts, with prices ranging from $2 to $30 for highly desirable organizations. is set.
These accounts were typically stolen through password cracking (brute forcing), credential theft, stolen credentials through phishing, or purchased from other cybercriminals.
Hackers use their access to corporate email accounts to conduct targeted attacks such as business email compromise (BEC), social engineering, spear phishing, and network intrusion.
The Rise of Webmail Autoshops
Corporate email access sales have been steady in the cybercriminal arena for the past two years, with all major hacking forums selling email “combo lists” to access different companies. There are threat actors that
In a recent high-profile case, ransomware actor Everest allegedly offered access to an aerospace manufacturer’s email account for $15,000.
Both bulk and curated offers involve a cumbersome process of negotiating with sellers and taking risks on the validity of claims. At the same time, the demand for corporate email continues to grow.
This has created a need for automated web mail shops such as Xleet, Odin, Xmina and Lufix. This makes it easy for cybercriminals to purchase access to selected email accounts.
“Many of these shops offer advanced features such as ‘proofs’ that webmail access actually works,” KELA explains in the report.
“These evidences include performing live email checks to verify access and viewing screenshots of compromised account inboxes.”
The most attractive offer is Office 365 accounts, which account for almost half of all webmail listed, followed by hosting providers such as cPanel, GoDaddy, and Ionos.
These shop sellers do not use aliases, but are hidden behind a masking system that assigns numbers. Odin provides details about sellers such as number of items sold, total sales, user ratings, etc.
Odin and Xleet reveal how webmail was obtained in categories such as ‘hacked’, ‘cracked’, ‘logged’ and ‘created’. However, the majority (98%) of Xleet have been ‘hacked’ or ‘cracked’.
“Logs” are email credentials stolen by information-stealing malware, and “Created” are new emails created by a network intruder at a compromised enterprise using a compromised administrator account. Email account.
The rise of these markets makes it imperative to implement regular password resets for all services and platforms to render compromised credentials useless.
Most of the webmail on offer has been cracked or hacked, so using strong (longer) passwords and training your personnel to identify phishing emails will greatly reduce these threats. I can.