Hackers' Mistake makes Stolen Data became Available through Google

Hackers stole at least 1,000 logins and passwords for authorization in corporate Office 365 accounts.


Hackers, who attacked thousands of organizations around the world in a massive phishing campaign, forgot to protect their catch, as a result of which it became available through Google search.


The phishing campaign, which lasted more than half a year, used dozens of domains with fake Microsoft Office 365 authorization pages. Despite the use of very simple techniques, the attackers were able to successfully bypass security filters for emails, so they collected at least 1,000 logins and passwords for authorization in corporate Microsoft Office 365 accounts.


As found experts and Check Point Otorio, read this phishing campaign, hackers mistakenly stolen data made available through the open Internet. According to experts, the attackers saved the stolen information on domains specially registered for this, but placed the data in a publicly accessible file, and the Google search engine indexed it.


The researchers also found that the attackers had compromised legitimate WordPress servers in order to use them to host phishing PHP pages. As experts explained, cybercriminals prefer to use compromised servers instead of their own infrastructure due to the good reputation of compromised sites.


After examining information from about 500 records, the researchers were able to determine that companies in the construction sector (16.7%), energy (10.7%) and information technology (6.0%) were most often the victims of the phishing campaign.


In order to lure victims to fraudulent pages, cybercriminals used several themes in phishing emails. The subject field included the victim's name or company name, and the attachment contained a scanned HTML notification.


Opening an attachment through a default web browser displayed a blurry image overlaid with a fake Microsoft Office 365 login form. “This document is password protected. Please enter your password ”, - was reported in the authorization form. The username field was already filled in with the victim's email address, and the victim did not have any suspicions.


JavaScript code running in the background authenticated the victim's credentials, sent them to a server controlled by the attackers, and redirected the victim to the real authorization page in Microsoft Office 365 to distract attention.


To bypass the detection, the hackers sent out phishing emails from compromised mailboxes. For example, in one of the attacks, cybercriminals impersonated the German hosting provider IONOS by 1 & 1. Although the phishing campaign began in August 2020, researchers also found phishing emails dated May 2020.