Hackers that attacked thousands of organizations around the world in a massive phishing campaign, forgot to protect their catch, as a result of which the stolen data became available through a Google search.
The phishing campaign, which lasted more than half a year, used dozens of domains with fake Microsoft Office 365 authorization pages. Despite the use of very simple techniques, the attackers were able to successfully bypass security filters for emails, so they collected at least 1,000 logins and passwords for authorization in corporate Microsoft Office 365 accounts.Let me remind you that even the hacked Oxford server was used for phishing attacks on Office 365.
Check Point and Otorio, who studied the phishing campaign, discovered that the hackers mistakenly made the stolen data available over the open Internet.
“The attackers saved the stolen information on domains specially registered for this, but placed the data in a publicly accessible file, and the Google search engine indexed it”, – said the experts.
The researchers also found that the attackers had compromised legitimate WordPress servers in order to use them to host phishing PHP pages. As experts explained, cybercriminals prefer to use compromised servers instead of their own infrastructure due to the good reputation of compromised sites.
After examining information from about 500 records, the researchers were able to determine that companies in the construction sector (16.7%), energy (10.7%) and information technology (6.0%) were main victims of the phishing campaign.
“In order to lure victims to fraudulent pages, cybercriminals used several themes in phishing emails. The subject field included the victim’s name or company name, and the attachment contained a scanned HTML notification”, – said Check Point and Otorio experts.
Opening an attachment through a default web browser displayed a blurry image overlaid with a fake Microsoft Office 365 login form.
“This document is password protected. Please enter your password”, – was reported in the authorization form. The username field was already filled in with the victim’s email address, and the victim did not have any suspicions.
JavaScript code running in the background authenticated the victim’s credentials, sent them to a server controlled by the attackers, and redirected the victim to the real authorization page in Microsoft Office 365 to distract attention.
To bypass the detection, the hackers sent out phishing emails from compromised mailboxes. For example, in one of the attacks, the cybercriminals impersonated the German hosting provider IONOS by 1&1. Although the phishing campaign began in August 2020, researchers also found phishing emails dated May 2020.
Let me also remind you that the famous Twitter hackers used targeted phone phishing.