Google Searches Expose Stolen Corporate Credentials

A phishing campaign spoofs Xerox notifications to lure victims into clicking on malicious HTML attachments.

Attackers behind a recently discovered phishing campaign have unintentionally left more than 1,000 stolen credentials available online via simple Google searches, researchers have found.

The campaign, which began in August 2020, used e-mails that spoof notifications from Xerox scans to lure victims into clicking on malicious HTML attachments, according to a report from Check Point Research released Thursday.

Check Point worked with security firm Otorio to uncover the campaign, which managed to bypass Microsoft Office 365 Advanced Threat Protection (ATP) filtering to steal more than 1,000 corporate credentials, researchers said.
2020 Reader Survey: Share Your Feedback to Help Us Improve

While this is and of itself is not atypical of phishing campaigns, attackers made a “simple mistake in their attack chain” that left the credentials they’d stolen exposed to the “public Internet, across dozens of drop-zone servers used by the attackers,” researchers said.

Usually credentials are the crown jewels of an attack, something threat actors keep for themselves so they can sell them on the dark web for profit or use them for their own nefarious purposes.

However, in this campaign, “with a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attackers,” researchers wrote.

This is because the attackers stored the stolen credentials in designated webpages on compromised servers, said Lotem Finkelsteen, head of threat intelligence for Check Point Software. However, because Google constantly indexes the internet, the search engine also indexed these pages, making them available to anyone who queried Google for a stolen email address.

“The attackers didn’t think that if they are able to scan the internet for those pages — Google can too,” Finkelsteen said in an e-mailed statement. “This was a clear operation security failure for the attackers.”

Organizations targeted in the campaign spanned a number of industries—including retail, manufacturing, healthcare and IT–with a special interest in energy and construction companies, researchers noted. There also was evidence that the campaign is not the attackers’ first rodeo, as emails and JavaScript encoding used in the attacks correlated to a phishing campaign from May of the same year, they said.

The campaign started with an email using one of several phishing templates imitating a Xerox notification with the target’s first name or company title in the subject line. The email included an HTML file that, once clicked on, would prompt the user with a lookalike login page for Xerox.

“After the HTML file was launched, a JavaScript code would then run in the background of the document,” researchers wrote. “The code was responsible for simple password checks, sending the data to the attackers’ drop-zone server, and redirecting the user to a legitimate Office 365 login page.”

Drop-zone servers used by the campaign were dozens of WordPress websites that hosted malicious PHP pages and would process all incoming credentials from the phishing victims, researchers said.

“While using a specialized infrastructure, the server would run for roughly two months with dozens of XYZ domains,” they noted. “These registered domains were used in the phishing attacks.”

The campaign also not only evaded Microsoft 365 ATP but also most anti-virus protections through its simple use of compromised servers. Attackers also continuously polished and refined their code to create “a more realistic experience so the victims were less likely to have their suspicions aroused, and more likely to provide their login credentials,” researchers noted.

Researchers provided the usual advice to people to avoid getting duped by phishing campaigns, such as reminding them to check domains carefully, be skeptical of unknown senders, think twice before accepting a “special offer,” and use different passwords for different online accounts. Indeed, that last point in particular is still a common mistake that even the most savvy of internet user makes, research has found.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!


Suggested articles