Enterprise Credentials Publicly Exposed by Cybercriminals

Cybercriminals behind a successful phishing campaign have exposed more than 1,000 corporate employee credentials on the Internet, according to a warning from security vendor Check Point.

The corporate account credentials were stolen as part of a phishing campaign that kicked off in August 2020, targeting thousands of organizations worldwide.

As part of the campaign, the attackers were able to successfully bypass Microsoft Office 365 Advanced Threat Protection (ATP) filtering, which allowed them to harvest more than a thousand credentials from victims.

According to Check Point, the miscreants behind the campaign made a simple mistake that eventually resulted in the stolen credentials being publicly accessible on the Internet, “across dozens of drop-zone servers used by the attackers.”

Because of that, anyone could have used Google search to find the passwords for the compromised, stolen email addresses.

The attack started with phishing emails masquerading as Xerox notifications, attempting to lure victims into clicking on a malicious HTML attachment, which resulted in the browser displaying a blurred image.

JavaScript code running in the background, however, would perform password checks and send data to drop-zone servers controlled by the attackers, after which it would redirect the victim to a legitimate Office 365 login page.

Check Point also notes that the attackers continuously refined the code throughout the campaign, creating a more realistic experience, in an attempt to avoid any kind of suspicion from the victims and to ensure that their attacks can evade detection by antivirus vendors.

The cybercriminals employed both their own infrastructure to host domains used in the phishing attacks, and dozens of compromised WordPress websites that were used as drop-zone servers.

“Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations. The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors,” Check Point explains.

Once sent to the drop-zone servers, the stolen data was saved in files that were publicly accessible, thus indexable by Google, meaning that anyone could have located the stolen email address credentials via the popular search engine.

Check Point says it informed Google on the issue, and “victims now can use Google search capabilities to look for their stolen credentials and change their passwords accordingly.”

The campaign appears to have been mainly targeted at energy and construction companies, though IT, healthcare, real estate, manufacturing, education, transportation, financial services, and retail organizations were also targeted.

Analysis of the Tactics, Techniques, and Procedures (TTPs) employed in this campaign has allowed Check Point to identify a similar set of phishing attacks, carried out in May 2020, but which redirected to another version of an Office 365 phishing page.

Related: FINRA Warns Brokerage Firms of Phishing Campaign

Related: The Evolution of Phishing: Welcome “Vishing”

Related: Phishing Attacks: Best Practices for Not Taking the Bait