Passwords stolen via phishing campaign available through Google search

Pierluigi Paganini January 21, 2021

Bad ops of operators of a phishing campaign exposed credentials stolen in attacks and made them publicly available through Google queries. 

Check Point Research along with experts from cybersecurity firm Otorio shared details on their investigation into a large-scale phishing campaign that targeted thousands of global organizations.

The campaign has been active since August, the attackers used emails that masqueraded as Xerox scan notifications that were urging recipients into opening a malicious HTML attachment. This trick allowed the attackers to bypass Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials.


The experts noticed that operators behind the phishing campaign focused on Energy and Construction companies, but they accidentally exposed credentials stolen in attacks that were publicly viewable with a simple Google search. 

Operators of a phishing campaign targeting the construction and energy sectors exposed credentials stolen in attacks that were publicly viewable with a simple Google search. 

“Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers. With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses:  a gift to every opportunistic attacker.” reads the post published by Check Point.

Once the victim double-clicked the HTML file, a blurred image with a preconfigured email within the document is opened in the browser.

Upon launching the HTML file, a JavaScript code will be executed in the background, it gathers the password, sends the data to the attackers’ server, and redirect the user to a legitimate Office 365 login page.

Phishers used both unique infrastructure and compromised WordPress websites used to store the stolen data.

“We discovered dozens of compromised WordPress servers that hosted the malicious PHP page (named “go.php”, “post.php”, “gate.php”, “rent.php” or “rest.php”) and processed all incoming credentials from victims of the phishing attacks.” continues the post.

“Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations. The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors”

The emails were sent from a Linux server hosted on Microsoft’s Azure, they were often sent by using PHP Mailer 6.1.5 and delivered using 1&1 email servers.

Attackers also sent out spam messages through compromised email accounts to make messages appear to be from legitimate sources. 

Data sent to the drop-zone servers were saved in a publicly visible file that was indexable by Google. This means that they were available to anyone with a simple Google search.

The analysis of a subset of ~500 stolen credentials revealed that victims belong to a wide range of target industries, including IT, healthcare, real estate, and manufacturing.

Check Point shared its findings with Google.

Experts noticed that the JavaScript encoding used in this campaign was the same used in another phishing campaign from May 2020, a circumstance that suggests that the group threat actor is behind the two campaigns.

The report also includes Indicators of Compromise (IoCs).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment