Criminals behind a recent phishing scam have gathered all the important pieces. Software that bypasses antivirus – see. An email template that protected Microsoft Office 365 Advanced Threat Protection – see. A stock e-mail accounts with a good reputation for sending scam mail from – see.
It was a recipe that allowed the scammers to steal more than 1,000 corporate employee credentials. There was only one problem: the scammers stored their hard-won passwords on public servers, where anyone – including search engines – could (and did) index them.
“Interestingly, due to a simple flaw in their attack chain, the attackers behind the phishing campaign exposed the credentials they stole to the public Internet on dozens of servers used by the attackers,” security firm researchers said. Check Point written. in a report published Thursday. “With a simple Google search, anyone could have found the password for one of the compromised, stolen email addresses: a gift to every opportunistic attacker.”
Check Point researchers found that they were investigating a phishing campaign that began in August. The scam came in emails claiming to be from Xerox or Xeros. The emails were sent by addresses that, before being hijacked, had high reputation scores that bypassed many defenses against spam and antiphishing. Attached to the messages is a malicious HTML file that did not cause any of the 60 antimalware engines.
The email looked like this:
Checkpoint
After clicking, the HTML file displays a document that looks like this:
Checkpoint
When recipients were misled and reported to a fake account, the scammers stored the referrers on dozens of WordPress sites that were compromised and turned into so-called drop zones. The arrangement made sense because the sites that were compromised would probably have a higher reputation score than would be the case for sites owned by the attackers.
However, the attackers failed to identify the sites as an outside border for Google and other search engines. As a result, Internet searches could locate the data and lead security researchers to the memory of troubled credentials.
“We found that once the user information was sent to the drop-zone servers, the data was stored in a publicly visible file that could be indexed by Google,” reads Thursday’s report from Check Point. “It gave everyone access to the stolen email address with a simple Google search.”
Based on the analysis of approximately 500 of the compromise evidence, Check Point was able to compile the following breakdown of the targeted industries.
Simple searches on the internet show that some of the data stored on the drop-zone servers were searchable at the time this message was used. Most of these passwords have the same format, which made it possible for the referents not to belong to the correct accounts. However, Check Point’s discovery is a reminder that stolen passwords, like so many other things on the internet, are ripe to choose.