FTSE 100 employees are putting their firms at risk by re-using corporate credentials on third party sites, with over 5,000 email and password combinations already compromised, according to Anomali.
The threat intelligence firm tracked the darknet over the past three months to compile its latest report, The FTSE 100: Targeted Brand Attacks and Mass Credential Exposures.
It found 5,275 compromised email and unencrypted password accounts in total, on hacking forums, paste sites and similar – that’s an average of 50 employees at each FTSE 100 firm that have unwittingly exposed their details to cybercriminals.
The credentials were stolen from non-work-related sites in classic data breach incidents. For example, over 40 email/password combinations across 23 companies were compromised in April when a popular UK football site had its database dumped on the darknet, Anomali said.
With this information, black hats could log-in to corporate networks and access, steal and/or tamper with highly sensitive information.
Oil and gas companies accounted for 20% of compromised credentials, which raises the uncomfortable prospect of cybercriminals potentially opening up channels to access SCADA systems.
Jonathan Martin, EMEA operations director at Anomali, argued that many of these firms still aren’t set up to implement two-factor authentication on all enterprise apps – exposing them to this kind of risk.
“Rather, we need to have much greater education of employees on all security matters but particularly around using work emails on non-work related sites,” he told Infosecurity.
“Often, it’s simply a case of people simply not understanding or thinking through the implications of how a compromised work email could be used to launch a range of attacks against both the individual employee as well as others in the organization.”
The report also warned that FTSE 100 firms are at risk from a growing problem of domain spoofing.
Over the past three months, 81 such companies had potentially malicious domain registrations against them, Anomali found.
The majority were registered with Chinese addresses, followed by the US and Panama.
Such domains are used in email-borne phishing attacks, where customers are typically tricked into divulging their personal details because they think they’re interacting with a legitimate firm.
Financial services was the worst hit vertical with 376 suspicious domains found, followed by retail (175) and critical infrastructure (75).