Hackers Mistakenly Leave Over 1,000 Stolen Credentials Exposed Online
While the attack is your typical phishing scam, the threat actors behind it left more than 1,000 stolen credentials available online via simple Google searches. Beginning in August of last year, the campaign used emails to spoof notifications from Xerox lure victims into clicking on malicious HTML attachments and was first discovered by Check Point Researchers.
The threat actors made a “simple mistake in their attack chain” that left the stolen credentials exposed to the “public internet, across dozens of drop-zone servers used by the attackers,” according to researchers. This meant that with a simple Google search, anyone would be able to find the stolen credentials. This was because attackers stored the stolen credentials in designated webpages on compromised servers. But because Google constantly indexes the internet, the search engine also indexed the compromised web pages, thus making the usernames and passwords available to anyone who happened the perform a Google search on the stolen email address.
This method of storing stolen data on compromised web servers allows the attackers to scan the internet and retrieve the stolen credentials; they just didn’t know that Google had beaten them to it.
The campaign started with an email using one of several phishing templates imitating a Xerox notification with the target’s first name or company title in the subject line. The email included an HTML file that, once clicked on, would prompt the user with a lookalike login page for Xerox.
“After the HTML file was launched, a JavaScript code would then run in the background of the document,” researchers wrote. “The code was responsible for simple password checks, sending the data to the attackers’ drop-zone server, and redirecting the user to a legitimate Office 365 login page.”
Drop-zone servers used by the campaign were dozens of WordPress websites that hosted malicious PHP pages and would process all incoming credentials from the phishing victims.
Sources: