Corporate email accounts are sold in dark web markets

Cyber security researchers from the cyber-intelligence firm KELA have reported that at least 225,000 email accounts are for sale on dark web markets.

Automated dark web shops offering corporate credentials

Recent research from the cyber security company KELA showed that threat actors now have new marketplaces and shops allowing them to easily buy corporate email accounts to easily deceive users during their attacks.

Live check option

KELA reports automated markets offering corporate webmails for sale. Xleet, Odin, Xmina, and Lufix are among those shops. These dark web shops offer a wide range of spamming tools from hosting services (cPanel, RDP, and shells), accounts (streaming, VPN, email marketing), and leads (access to email leads and combo lists) as well as corporate webmails.

Many of these shops supply proofs to show that webmail access indeed works. The shops perform a live check on the email to verify the access or display a screenshot of the compromised account inbox. KELA says its cybercrime intelligence platform had collected this data and it allowed them easily identify the infected device and username.

Shops ask users to check webmail whether it works before buying the credentials

KELA states that the shops allow potential buyers to sort and find emails based on specific characteristics. According to the cyber security firm, Xleet is the most developed forum and has existed on cybercrime forums since May 2019. Based on the number of credentials offered for sale, Xleet is also the biggest shop.

Number of offers per shop

Phishing is the most common attack vector

The report highlights that the evolution and added value of the cybercrime ecosystem allow threat actors to easily buy corporate webmail. The popular devoted webmail sale shops are Xleet, Odin, Lufix, and Xmina. The largest shop offering webmail access is Xleet, with an average price of $25 for a single webmail.

Meanwhile, Office 365 is the most attractive email hosting provider on these marketplaces. Phishing is the most common attack vector for threat actors. The state-sponsored espionage actors like advanced persistent threats (APTs) use automated webmail shops for buying corporate email credentials.

Government emails are sold as well

Government emails are often sold in underground forums. On July 14, 2022, an actor offered access to a Turkish minister’s email was offered by an actor and sold on the same day. KELA also observed a cyber criminal offering email access to police forces based in South Asia at the price of $80 for each email.

Ransomware criminals are also involved in offering email access, selling email access to a Canada-based aerospace manufacturing company On November 22, 2022. The access was offered for sale for $15,000.

Most targeted providers

Odin and Lufix shops have been active since 2020 while Xmina appeared in early 2022. KELA reported more than 225,000 webmails listed for sale in the shops. The company analyzed four markets. According to its findings, the most targeted business email providers were Microsoft 365, GoDaddy, Rackspace, and Ionos. Some of the shops are also listed as a type of access cPanel, which allows accessing webmail using a cPanel interface.

The US is the most popular location based on the emails advertised in the shops. Lastly, the researchers found that the average price for corporate webmail on Lufix, Odina, and Xmina is $8.5. Meanwhile, the average price on Xleet is more than triple, at $25.6.

See more Cyber Security News

About the Author

Hanife Diktas is a news editor at Cloud7 News. Hanife started her career in the manufacturing sector in the marketing and sales department. Hanife worked in industrial equipment, renewable energy, and technology sectors. Hanife Diktas did her bachelor's degree in business administration and completed a master's degree in management at Yeditepe University in Istanbul, Turkey. Hanife is a Linux user, and she also contributed to AlmaLinux OS at the beginning of the project. Hanife focuses on web hosting, cloud computing, data centers, cybersecurity, Linux OS, and virtualization technologies. Hanife enjoys creating content and shooting videos covering these topics.