SendGrid And Mailtrap Credentials Sold On Cybercrime Forums For Just $15

Cybercriminals frequently sell access to compromised email infrastructure, such as SMTP credentials and transactional email service API keys, for use in phishing, spam, and other malicious email campaigns intended to steal sensitive data. By monitoring underground cybercrime forums and marketplaces, we recently discovered Mailjet, SendGrid, Mailtrap, and SMTP credentials for sale on several Russian-language hacking forums at astonishingly low prices.

Attackers often target platforms like SendGrid and Mailtrap due to their credible reputations and wealth of customer data. As a widely used email service, SendGrid holds access to vast email lists and communication channels of businesses and individual users. Compromising SendGrid credentials can grant attackers the ability to send out email attacks at scale or manipulate legitimate communications for malicious purposes. Similarly, Mailtrap, a platform for email testing, contains email templates, test data, and SMTP configurations, making it a valuable target for attackers seeking to exploit vulnerabilities in email systems.

Because these domains have a long history of legitimate sending, they can easily bypass the anti-spam and sender authentication protocols that many email providers use to block suspicious mail—making them attractive to criminals who use them to reach their targets.

Most compromised SMTP login credentials on these forums are obtained through brute force and credential stuffing attacks rather than direct system intrusions. Automated brute forcing scripts and tools continuously guess passwords using combinations of usernames, emails, and passwords leaked in past data breaches. When they eventually guess correctly, they add the working logins to their lists.

Transactional email service API keys, however, cannot be brute forced due to their length. Many of the keys found for sale can be traced back to information stealers, which are also known as infostealers. Infostealers are a type of malware designed to gather sensitive information from infected computers, such as login credentials and financial information. These malicious programs often operate in the background without the user's knowledge, collecting and transmitting data to the attackers.

The stolen data obtained by infostealers is often referred to as "logs" on cybercrime forums and networks. Some cybercriminals have even built entire websites and platforms that run on a subscription model—giving members access to thousands of new "logs" per day.

Our recent research into this shows that there is a significant demand for "logs" from popular email-sending platforms like Mailjet, SendGrid, and Mailtrap.

To automate the process of verifying the validity of these stolen accounts, cybercriminals have developed dedicated tools called "checkers." These checkers are designed to test the login credentials against the email service provider's (ESP) platform, filtering out invalid or banned accounts.

Only the verified accounts are then packaged and sold to other cybercriminals or used directly in their own malicious email campaigns. Cybercriminals often prefer using these stolen accounts because they provide a more reliable and legitimate way to send phishing emails and other malicious content, as opposed to using newly created accounts that may trigger spam filters more easily.

Your cloud email platform is a critical business asset, but it's also a prime target for cybercriminals. As threat actors grow more sophisticated, preventing attacks sent from these legitimate platforms is essential.

Inbound email security plays a crucial role in detecting attacks sent from compromised SendGrid and Mailtrap accounts (plus others!) before they hit user inboxes. Abnormal’s AI-powered solution uses advanced human behavior AI and content analysis to understand the behavior of every user in your organization, as well as the vendors you work with. This allows the platform to detect and remediate suspicious activity and anomalies in the cloud environment—even when they originate from a seemingly legitimate source like SendGrid or Mailtrap.

By staying vigilant and leveraging innovative solutions, security leaders and the organizations they protect can mitigate the risks associated with these attacks.

Interested in learning more about how Abnormal can protect your organization? Schedule a demo today!