This phishing scam left thousands of stolen passwords exposed through Google search

January 26, 2021


Operators of a phishing campaign targeting the construction and energy sectors exposed credentials stolen in attacks that were publicly viewable with a simple Google search.

On Thursday, Check Point Research in partnership with Otorio published a blog post describing the campaign, in which stolen information was dumped on compromised WordPress domains.

The recent phishing attack began with one of several fraudulent email templates and would mimic Xerox/Xeros scan notifications including a target company employee's name or title in the subject line.

Phishing messages originated from a Linux server hosted on Microsoft Azure and were sent through PHP Mailer and 1&1 email servers. Spam was also sent through email accounts that had been previously compromised to make messages appear to be from legitimate sources.

Attackers behind the phishing scam included an attached HTML file containing embedded JavaScript code that had one function: covert background checks of password use. When credential input was detected, they would be harvested and users would be sent to legitimate login pages.

"While this infection chain may sound simple, it successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees' credentials," Check Point says.

The attackers' infrastructure includes a web of websites, backed by the WordPress content management system (CMS), that were hijacked. Check Point says that each domain was used as "drop-zone servers" for processing incoming, stolen credentials.

However, once stolen user data was sent to these servers, it was saved in files that were public and were indexed by Google -- allowing anyone to view them through a simple search.

Each server would be in action for roughly two months and would be linked to .XYZ domains that would be used in phishing attempts.

"Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites' well-known reputations," the team noted. "The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors."

Based on a subset of roughly 500 stolen credentials, the researchers found a wide range of target industries, including IT, healthcare, real estate, and manufacturing. However, it appears that the threat actors have a particular interest in construction and energy.

Check Point reached out to Google and informed them of the credential indexing.

While attribution is often a challenge, a phishing email from August 2020 was compared with the latest campaign and was found to use the same JavaScript encoding, suggesting that the group behind this wave has been in operation for some time.