SecurityBrief Asia logo
Story image

Thousands of stolen credentials end up on the internet by careless phishing scammers

A large-scale phishing campaign, where the attackers unintentionally left stolen credentials accessible to the public, has been discovered by Check Point Research and Otorio researchers.

The phishing campaign began in August of last year with emails that masqueraded as Xerox scan notifications. The emails prompted users to open a malicious HTML attachment that bypassed the Microsoft Office 365 Advanced Threat Protection (ATP) filtering. Over a thousand corporate employees’ credentials were stolen.

The attackers stored the stolen credentials in designated webpages on compromised servers. Google, which constantly indexes the internet, also indexed these webpages’ pages. In effect, the stolen credentials were available to anyone who can query Google for a stolen email address. In other words, with a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses -  a gift to every opportunistic attacker.

Attack methodology

  • Attackers started by sending a malicious phishing email to potential victims, with attached HTML file.
  • By clicking the HTML file, the victims are prompt with a lookalike login page of popular brands, in this case Xerox.
  • Passwords and email addresses of victims who fall into the phishing attack, are sent and being stored on compromised servers in a text file.
  • While sitting on the compromised servers, waiting for the hackers to collect them, Google who constantly scans the internet, indexes the text files on those servers and makes them available through the Google Search engine.

“We tend to believe that when someone steals our passwords, the worst case scenario is that the information will be used by hackers who exchange them through the dark net," says Lotem Finkelsteen, head of threat intelligence, Check Point Software.

"But not in this case: anyone could have had access to the information stolen.

"The strategy of the attackers was to store stolen information on a specific webpage that they created. That way, after the phishing campaigns ran for a certain time, the attackers can scan the compromised servers for the respective webpages, collecting credentials to steal," he says. 

"The attackers didn’t think that if they are able to scan the internet for those pages -- Google can too. This was a clear operation security failure for the attackers.”

How to stay protected

  • Check the domain. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
  • Be skeptical of unknown senders. Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
  • Use authentic sources, only. Ensure you are ordering goods from an authentic source. One way to do this is to NOT click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
  • Think twice before a “special offer”. Beware of “special” offers that don’t appear to be reliable or trustworthy purchase opportunities.
  • Don’t reuse passwords. Make sure you do not reuse passwords between different applications and accounts.