Cybercriminals are breaking into the email accounts provided by AT&T to hack into victims’ cryptocurrency exchange accounts and steal their crypto asssets. Email addresses with domain names sbcglobal[.]net, bellsouth[.]net, and att[.]net are affected.
Breaking into email accounts
The researchers suspect that the attackers obtained access to a part of AT&T’s internal network, which allows the creation of mail keys for any user.
- These unique mail keys are used as credentials by AT&T email users to login into their accounts with email apps such as Outlook or Thunderbird, without the requirement for a password.
- Having the main key of a target, the attackers can use an email app to log into any account. Consequently, they abuse it to reset passwords for further malicious actions, such as breaking into cryptocurrency exchanges.
In a Telegram group chat, one of the hackers claimed that the group has access to an entire AT&T employee database, which allows access to information related to OPUS, an AT&T portal for employees.
Specific attack incidents
AT&T’s spokesperson has denied that the attackers had any access to internal company systems and that there was no intrusion into any system. However, several independent victims claim to have been hit with attacks and faced losses.
- One of the victims claimed that the attackers stole $134,000 from his Coinbase account. Another victim claimed that it's happening constantly since November 2022, presumably 10 times at this point.
- A tipster claimed that the hackers can reset any AT&T email account. They may have made around $15 and $20 million from stolen crypto. The hackers also reportedly have access to the internal VPN of AT&T.
Conclusion
The recent event shows how a leaked email account can be abused to get access to other services and email keys. Having access to mail keys allows access to all the connected services, including crypto accounts. The firms are suggested to update their security controls to prevent such activities and proactively require a password reset on some email accounts.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/898e_shutterstock_2216147981.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000088167933_Medium.jpg)
