The criminals behind a recent phishing scam have put all the important pieces together. Malware that bypassed the antivirus – check. An email template that bypassed Microsoft Office 365 Advanced Threat Protection – check. A supply of email accounts with a strong reputation for sending fraudulent emails – check.
It was a recipe that allowed scammers to steal more than 1,000 credentials from corporate employees. There was only one problem: scammers hid their hard-won passwords on public servers where anyone – including search engines – could (and did) index them.
“Interestingly, due to a simple error in their chain of attack, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, on dozens of launch zone servers used by the attackers,” wrote researchers security company Check Point in a post published Thursday. “With a simple Google search, anyone could have found the password to one of the stolen and compromised email addresses: a gift for all opportunistic attackers.”
Check Point researchers discovered haul while investigating a phishing campaign that started in August. The scam came in emails that allegedly came from Xerox or Xeros. The emails were sent from addresses that, before being hijacked, had high reputation scores that bypass many antispam and antiphishing defenses. Attached to the messages was a malicious HTML file that did not trigger any of the 60 most used antimalware engines.
The email looked like this:
Check Point
After clicking, the HTML file displayed a document that looked like this:
Check Point
When recipients were tricked and logged into a fake account, scammers stored their credentials on dozens of WordPress sites that had been compromised and transformed into so-called drop zones. The deal made sense, since compromised sites would likely have a higher reputation score than sites owned by attackers.
The attackers, however, have failed to designate the sites as outside the limits of Google and other search engines. As a result, web searches were able to locate the data and bring security researchers to the cache of compromised credentials.
“We found that once user information was sent to the servers in the drop zone, the data was saved in a publicly visible file that can be indexed by Google,” read Check Point’s Thursday post. “This allowed anyone to access stolen email address credentials with a simple Google search.”
Based on the analysis of around 500 of the compromised credentials, Check Point was able to compile the following analysis of the target industries.
Simple web searches show that some of the data stored on the drop zone servers remained searchable at the time this post was live. Most of these passwords followed the same format, making it possible that credentials did not belong to real-world accounts. Check Point’s discovery, however, is a reminder that, like so many other things on the Internet, stolen passwords are ready to be harvested.