A Hacker is Selling Access To the Email Accounts of Hundreds of C-Level Executives

A threat actor is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world. From a report: The data is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.in, ZDNet has learned this week. The threat actor is selling email and password combinations for Office 365 and Microsoft accounts, which he claims are owned by high-level executives occupying functions such as: CEO, COO, CFO, CMO, CTO, President, VP, Exec Assistant, Finance Manager, Accountant, and Director. Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user's role.

What happens if he's lying?

[BAReFO0t]

It's not like you can sue him.

And you can only buy the cat in the bag before you know.

Also, of your business even has C-level executives, you're officially too big to not be mostly bullshit jobs, IMHO. ;)

Re:What happens if he's lying?

[olsmeister]

Hackers have reputations to uphold, too.

That must be the same guy

[Mr. Dollar Ton]

who tells me 15 times a day he recorded a video of me watching a porn movie and will send it to EVERYONE side by side unless I pay him that much in shitcoins.

Re:

[niff]

I’m still waiting for your shitcoins, mr dollar ton...

Re:

[Mr. Dollar Ton]

You ain't getting them, so you may as well post the video. Good luck.

Re:

[CODiNE]

Oh yeah with SPECIAL split-screen video so your friends and family know exactly what you were watching.

Re:

[Mr. Dollar Ton]

Yup.

Re:

[Rosco P. Coltrane]

You're barking up the wrong tree.

CxO people are bad, but they're only doing the bidding of the shareholders. The latter are the true fuckers you want to hate. The former only execute orders. Although one might argue that doing that kind of job requires a particularly callous kind of personality.

Re:

[Mr. Dollar Ton]

Going for the executors is the first step. When the shareholders are out of executors and come to the front, we'll get them, too.

Re:

[buravirgil]

Going for the executors is the first step. When the shareholders are out of executors and come to the front, we'll get them, too.

~Mr Dollar Ton

Would it were so simple.
~Hobie Doyle(Alden Ehrenreich), Hail, Caesar! (2016)

Dance on down to an ETF house and pitch your tent to pat down "shareholders" for their pockets full of bond, preferred, or common stock. That there grip looks like it contains bearer bonds from Nakatomi plaza-- follow that Uber!

Re:vigilantism

[dave-man]

Do you have a 401k? You're a shareholder. Pension plan? IRA? CD? You're a shareholder. Self-hate is just sad.

Re:

[drinkypoo]

https://www.cnbc.com/2016/02/0... [cnbc.com]

There is such a thing as ethical investment.

But if you're a shareholder of a company that's doing evil, then you're doing evil by proxy. It doesn't get much simpler.

You oversimplify.

[Brain-Fu]

If you own common stock then you can vote, thus directing the corporate executives. Thus, buying stock in evil companies is one way of obtaining pressure to apply towards changing them into good companies.

However, you don't always win the vote, and the executives are humans who have a measure of free will, change over time, respond to changing circumstances, etc. Furthermore, large corporations are more like anthives than giants....they are a teeming mass of different people with different agendas sometim

Re:

[rfunches]

If you own common stock then you can vote, thus directing the corporate executives. Thus, buying stock in evil companies is one way of obtaining pressure to apply towards changing them into good companies.

Not necessarily, the cool kids on Wall Street (mostly tech companies) use dual-class or multi-class shares that neuter activism [investors.com] by retail and institutional investors. Some of them, like Facebook and Google, grant additional votes to shares held by the founders and other close insiders -- for instance, 20 votes for an "insider" class of share vs. 1 vote for a regular share. A few recent companies flat out gave the middle finger and their common stock shares grant no votes -- IBD cites Snap (owner of Snapchat

Re:

[Mr. Dollar Ton]

Nope. I have property, gold, guns, animals and crops, and a small slave army to keep it humming.

Fuck the "investors".

Re:

[iggymanz]

nonsense, there are plenty of other investment types than stocks for all those, "shareholder' refers to stock share holder only.

Hate to tell you this

[raymorris]

I hate to be the one to tell you this, but you ARE going to get old. Well, unless you die young, but hopefully that won't happen.

You will get old. There are two ways that can go. You can either be old saying "welcome to Walmart", or you can be old relaxing while your bills are paid from your investments. That is, by owning the means of production, because you put 15% of your salary into that, you don't have to work when your old.

Most American adults choose the investment route - most check off the box mar

Re:

[Anonymous Coward]

Not anymore. They "invest" in college, then study theatre, gender studies, and "critical theory" which claims that all scientific data is cis-het-white-male-rape-culture oppression of *all* the current alphabet soup, and only by studying Marx can we understand our oppression and save the world's economies from destruction.

Think I'm kidding? 25% of all socialogy professors are now Marxist. And none of their disciples can find a job.

Re:

[computererds]

I'm sure you're not kidding. You are however pulling numbers right out of your ass.

Re:

[Agripa]

or you can be old relaxing while your bills are paid from your investments

Tell that to the people whose retirement funds were stolen by Madoff and government supported scoundrels like him.

Re:

[raymorris]

I'm not sure that any individuals lost any retirement funds, of the kind we're talking about, though it did take some time for some people's money to be returned from that crime. Madoff investors were primarily multi-million dollar investments from organizations. You wouldn't typically have something as complex as Madoff's scheme in your 401k.

Speaking of which, you SHOULDN'T invest in complex schemes; only invest in things you thoroughly understand.

Re:

[raymorris]

To be clear, your logic is the same as this:

Me: Graduating high school is a really good idea

You: Tell that to the person who got mugged on the way to school.

You're really, really hurting yourself if you don't take the opportunity to become an owner. Even more so since your employer will likely give you free money when you do so. Every time you spend $10 becoming an owner of whichever companies, your employer will kick in about $5, so you own $15 worth. Except it's such a good that the government encourages

Single point of failure or the weakest link

[Canberra1]

These C-levels had it coming. Their mantra was MS or the other would do a better job of security than their lazy say no IT section. It now seems the cloud is wet, and precipitation of embarrassing company stuff - a certainty. It remains to be seen if their passwords were in violation of corporate policy. It remains to be seen if those using 2FA were similarly lousy. A shemozzle or Cloudtastrophie.

Re:

[portwojc]

It's a mess and I wish I could block the MS network because of all the phishing emails that come through there. Can't block them or the other big networks who are just passing the crap along. It's not their fault it's well their customers fault....

Re:

[Anonymous Coward]

Many of the companies that kept an in-house IT system wound up with a bunch of encrypted servers, no backups, and a ransomware bill. Pick your poison.

Re:

[kot-begemot-uk]

MS can do a better job - you can enable access restrictions, 2FA, etc.

The problem is that the executives in question were either too dumb to use that or have insisted that it is disabled for sake of their convenience.

Re:

[EvilSS]

M365 is like any other email platform, cloud or on-prem, it's as secure as you configure it to be. By default it requires strong passwords but if you are, like most companies, connected to on-prem AD then it inherits your password policies for users coming over via federation or AD Sync. Ditto for MFA. You have to turn it on for your users, and your admin chooses the MFA methods, some of which I personally find insecure (SMS, office phone) and password reset features (one option is user questions, which are

C-level? Bah.

[Bu11etmagnet]

I don't care about anyone below A-

C-level accounts without 2FA?

[iustinp]

Come on, it's 2020. In 2010, maybe 2015 I would believe this, but in 2020 to have any important business account without 2FA is very unlikely.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sound+vision]

2FA doesn't make the accounts uncrackable. If the second factor is SMS (which doesn't even pretend to be secure) it's probably easier to intercept that than the password. You just need a leniently close physical proximity to the target. That's enough to prevent script kiddies from stealing Steam accounts, but these are high-value targets. Everyone up to and including state intelligence services would be interested in these.

Maybe, the C-levels will get smart

[WindBourne]

I think that the crackers just did America a great favor.
I suspect that the one thing that they will find in common is that the majority of these companies outsourced their code and admin esp. to India (closest ally to Russia and v.v..

computer criminal, hot hacker

[Blue_Astronomy_Geek]

A lot of us are hacker. We shouldn't be defaming our own name.