Late last year, reports surfaced in the online forum ‘Bezbedan Balkan’ [Secure Balkan] concerning the black market sale of email account credentials associated with a number of Serbian state institutions and public companies.
“Multiple sources” reported the phenomenon, said Ivan Markovic, a cybersecurity expert and co-founder of the forum.
“This means that someone, for the right price, was able to read through the official communication of the public enterprise Elektroprivreda Srbije [Serbia’s power utility] or [main gas distributor] Srbijagas, or send a message pretending to be from the National Employment Service,” Markovic told BIRN.
When Markovic and his colleagues dug deeper, they found that the email credentials of several public enterprises and state institutions had been compromised for more than a year and offered for sale for $100 or less.
The email accounts contained information on contracts, redundancy notices, bank statements, public procurement, and union meetings. Sale ads included screenshots of open email inboxes as proof for potential buyers.
Yet almost all of the bodies concerned told BIRN the reports were false.
According to Markovic and other cybersecurity experts, their failure to act only makes things worse.
“Black market platforms depend on their credibility and usually don’t sell fake data; those sellers who do quickly get sanctioned,” he said. “What’s more dangerous is that this data is sold multiple times to different malicious groups.”
Reluctant to report
Since January last year, according to Markovic, email accounts related to Elektroprivreda Srbija, EPS, have been compromised at least 15 times.
But EPS told BIRN this was untrue.
State-owned telecoms provider Telekom Srbije also said the email accounts of its employees were secure, as did the National Employment Service. Srbijagas did not respond to a request for comment for this story.
Only grid operator Elektromreza Srbije confirmed an incident involving a compromised corporate email account.
Alerted by the state CERT – the regulatory authority for electronic communications and postal services – to a case of phishing, Elektromreza Srbije said it “blocked the account, examined the activities on the system of the compromised user, changed the passwords and initiated additional training on information security and potential threats”.
CERT, however, has no authority to monitor the implementation of such security measures. That rests with the Ministry of Information and Telecommunications, which has just one inspector dedicated to the task.
Last year, leading cybersecurity firm Kaspersky tracked posts on the dark net offering access to compromised corporate data and found some 260,000 passwords, PIN numbers and other biometric data belonging to users in Serbia, though without identifying specific companies.
According to Kaspersky, the mere appearance of a corporate email address on the dark net, even without a password, already puts the security of the organisation in question at risk.
“The attack surface within its infrastructure increases as the number of potentially vulnerable targets grows,” Kaspersky told BIRN. “The public availability of corporate email addresses can pique the interest of cybercriminals and trigger discussions on dark net resources such as forums, messengers, onion sites, and more, regarding potential attacks on the organisation. Additionally, a corporate email address is more likely to be used for phishing and social engineering purposes.”
Kaspersky’s investigation also revealed a worrying lack of corporate preparedness and a tendency to deny claims that their protections have been breached.
This was also documented by the Serbian State Audit, which reported in xxxx that public enterprises and the state administration are reluctant to report incidents to CERT. A lack of awareness about whom to turn to and a fear of the hit to a company’s reputation are among the reasons why.
This is worrying, said Bojan Perkov, digital policy coordinator at SHARE Foundation, which works to promote and protect digital rights.
“Unauthorised access to email accounts and their abuse can be an entry point for other, far more serious attacks,” Perkov told BIRN.
“If the same combination of credentials – let’s say email, username or password – was used for multiple accounts, of which some contain highly sensitive information such as a large database with the details of private citizens, this can be quite damaging. The attacker can also continue to abuse the email address for phishing schemes and social engineering in order to gain further access to the system.”
Phishing for employees
It’s not only companies that are reluctant to admit to cybersecurity breaches. Employees are also often unwilling to admit they may have unwittingly compromised their employer.
“A member of staff said that she received an email, but did not click on it. But her computer was blinking,” an employee in the IT department of a Serbian public company told BIRN, speaking on condition of anonymity.
The case in question was phishing. A bot introduced itself as an administrator to a staff member, and the email she received contained a link which allegedly led the person to change the password.
“It took us a month to solve the problem,” the IT employee said. “First, the Outlook file, where the emails were stored, started duplicating her emails. Once that was fixed, suddenly she couldn’t receive any emails, then the ports would get mixed up, the configuration I set up would turn off. I thought we could just repair the file, but ended up taking down the entire system of her computer.”
The use of an official email address for private purposes is one of the most common mistakes made by employees in public companies and institutions, CERT told BIRN.
“This leaves them particularly vulnerable to phishing attacks and social engineering. Also, sending sensitive and private data via instant messaging apps, such as Viber and WhatsApp, can have similar undesirable consequences.”
Most email accounts of Serbian public enterprises sold on the black market used Outlook’s Web App.
“The problem with this, or any other webmail app accessed through a browser, arises when the user chooses the option for remembering the password,” said another IT employee at a Serbian public institution, who also spoke on condition of anonymity.
“The browser on the computer or laptop doesn’t have any additional protection when someone accesses their account through remembered credentials,” he said. “Once the computer is infected with a virus, the data will become available. And since most institutions attempt to network all their computers, the virus spreads really fast within the system and can collect their accounts.”
In the case of EPS, Markovic informed authorities about the compromised emails, but only the Commissioner for Information of Public Importance and Personal Data Protection took any action, he said. Limited in the degree it can inspect, the Commissioner also failed to find any issue.
“Given this outcome, we can only say that this problem is being ignored,” Markovic said.