Criminals behind a recent phishing scam had gathered all the important pieces. Malicious software that bypassed antivirus ̵
It was a recipe that allowed scammers to steal more than 1,000 employees’ credentials. There was only one problem: the scammers made their hard-won passwords on public servers where everyone – including search engines – could (and did) index them.
“Interestingly, due to a simple flaw in the attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across several drop-zone servers used by the attackers,” wrote researchers from the security company Check Point . in a post published Thursday. “With a simple Google search, anyone could have found the password of one of the compromised, stolen email addresses: a gift to any opportunistic attacker.”
Check Point researchers found the catch when they investigated a phishing campaign that started in August. The scam came in emails allegedly from Xerox or Xeros. The emails were sent from addresses that before they were hijacked had high reputation scores that bypass many antispam and antiphishing defenses. The attachments to the messages were a malicious HTML file that did not trigger any of the 60 most commonly used antimalware engines.
The email looked like this:
After clicking, the HTML file displayed a document that looked like this:
When recipients were tricked and logged into a fake account, the scammers stored the credentials on dozens of WordPress sites that had been compromised and turned into so-called drop-zones. The arrangement was sensible as compromised sites probably had a higher reputation than would be the case for sites owned by the attackers.
However, the attackers failed to designate the sites as restricted to Google and other search engines. As a result, web searches were able to find the data and lead security researchers to the cache of compromised references.
“We found that when users’ information was sent to the drop-zone servers, the data was stored in a publicly visible file that was indexable by Google,” read Thursday’s post from Check Point. “This gave everyone access to the stolen credentials of the email addresses with a simple Google search.”
Based on the analysis of approximately 500 of the compromised credentials, Check Point was able to compile the following overview of the targeted industries.
Simple web searches show that some of the data stored on the drop-zone servers were still searchable at the time this post was published. Most of these passwords followed the same format, which meant that the credentials did not belong to real accounts. However, Check Power’s discovery is a reminder that, like so many other things on the Internet, stolen passwords are ripe for picking.