[BreachExchange] Attackers Leave Stolen Credentials Searchable on Google

[Destry Winant]

https://www.darkreading.com/endpoint/attackers-leave-stolen-credentials-searchable-on-google/d/d-id/1339948?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Operators behind a global phishing campaign inadvertently left
thousands of stolen credentials accessible via Google Search.

The attackers behind a summer 2020 phishing campaign accidentally
exposed the credentials they stole to the public Internet, where they
could be discovered with a simple Google search.

Last August, the operators launched a campaign with malicious emails
disguised as Xerox scan notifications, Check Point researchers report
in an analysis conducted alongside industrial cybersecurity firm
Otorio.

Recipients of these emails, which contained their first name or
company title in the subject line, were prompted to open an HTML
attachment. If the file was opened, a JavaScript code would run in the
background to conduct password checks, send the data to the attackers'
server, and redirect the victim to a legitimate Microsoft 365 login
page, where they could enter credentials.

It sounds like a simple infection chain, researchers note, but it
successfully bypassed Microsoft 365 Advanced Threat Protection and
stole more than 1,000 employee credentials.

Over the course of the campaign, attackers adjusted their code to make
the attack seem more realistic so victims wouldn't think twice about
entering their data. Simple techniques enabled them to evade most
antivirus vendors, as indicated by low detection rates, the report
states.

The attackers used specialized infrastructure and compromised
WordPress websites as drop-zone servers. The server would run for
about two months with dozens of XYZ domains, which were used in the
phishing attacks. Researchers found several compromised WordPress
servers that hosted the malicious PHP page and processed incoming
credentials from phishing victims.

When victims' data was sent to the drop-zone servers, it was saved in
a publicly visible file that could be indexed by Google. Anyone could
find the stolen information with a Google search.

Google's powerful search engine algorithm, built to index the Web, was
able to index the pages where attackers were temporarily storing
stolen credentials. Researchers informed Google of the incident; now
victims can search for their stolen data and change passwords as
needed.

With all this information freely available, researchers analyzed
roughly 500 stolen credentials and learned the greatest percentage of
victims (16.7%) worked in construction. Energy (10.7%), information
technology (6%), and healthcare (4.5%) followed as the most-affected
industries.

They also noticed similarities with other phishing activity they say
was likely conducted by the same group. These earlier campaigns had
similar tactics, techniques, and procedures (TTPs) to this one: In May
2020, a phishing email that "perfectly matched" the TTPs in this
campaign was designed to redirect the victim to a fraudulent Office
365 phishing page.

Red Flags to Watch For
Researchers urge readers to be wary of emails or communication from a
familiar organization that asks them to open a document or click a
link. They should be cognizant of lookalike domains, spelling errors,
unfamiliar senders, and actions a sender may not usually request.

Online shoppers should double-check they're ordering goods from a
legitimate source, they add. Instead of clicking links in promotional
emails, they should instead directly access the retailer's website.
Beware of so-called "special offers" that seem too good to be true,
researchers say, and add an extra layer of protection by using
different passwords across accounts.