- A cybercrime intelligence company KELA analyzed four markets and found that the cybercrime ecosystem enables threat actors to easily buy corporate webmails.
- The most popular markets offering corporate emails are Xleet, Odin, Xmina, and Lufix. And Office 365 is the most attractive email hosting provider on these marketplaces.
- According to the intelligence report, phishing is the most common attack vector for threat actors. The state-sponsored espionage actors use automated webmail shops for buying corporate email credentials.
Recent research from the cyber security company KELA showed that threat actors now have new marketplaces and shops allowing them to easily buy corporate email accounts to easily deceive users during their attacks.
Live check option
KELA reports automated markets offering corporate webmails for sale. Xleet, Odin, Xmina, and Lufix are among those shops. These dark web shops offer a wide range of spamming tools from hosting services (cPanel, RDP, and shells), accounts (streaming, VPN, email marketing), and leads (access to email leads and combo lists) as well as corporate webmails.
Many of these shops supply proofs to show that webmail access indeed works. The shops perform a live check on the email to verify the access or display a screenshot of the compromised account inbox. KELA says its cybercrime intelligence platform had collected this data and it allowed them easily identify the infected device and username.
KELA states that the shops allow potential buyers to sort and find emails based on specific characteristics. According to the cyber security firm, Xleet is the most developed forum and has existed on cybercrime forums since May 2019. Based on the number of credentials offered for sale, Xleet is also the biggest shop.
Phishing is the most common attack vector
The report highlights that the evolution and added value of the cybercrime ecosystem allow threat actors to easily buy corporate webmail. The popular devoted webmail sale shops are Xleet, Odin, Lufix, and Xmina. The largest shop offering webmail access is Xleet, with an average price of $25 for a single webmail.
Meanwhile, Office 365 is the most attractive email hosting provider on these marketplaces. Phishing is the most common attack vector for threat actors. The state-sponsored espionage actors like advanced persistent threats (APTs) use automated webmail shops for buying corporate email credentials.
Government emails are sold as well
Government emails are often sold in underground forums. On July 14, 2022, an actor offered access to a Turkish minister’s email was offered by an actor and sold on the same day. KELA also observed a cyber criminal offering email access to police forces based in South Asia at the price of $80 for each email.
Ransomware criminals are also involved in offering email access, selling email access to a Canada-based aerospace manufacturing company On November 22, 2022. The access was offered for sale for $15,000.
Most targeted providers
Odin and Lufix shops have been active since 2020 while Xmina appeared in early 2022. KELA reported more than 225,000 webmails listed for sale in the shops. The company analyzed four markets. According to its findings, the most targeted business email providers were Microsoft 365, GoDaddy, Rackspace, and Ionos. Some of the shops are also listed as a type of access cPanel, which allows accessing webmail using a cPanel interface.
The US is the most popular location based on the emails advertised in the shops. Lastly, the researchers found that the average price for corporate webmail on Lufix, Odina, and Xmina is $8.5. Meanwhile, the average price on Xleet is more than triple, at $25.6.