Cyber criminals who had stolen user credentials in phishing campaigns accidentally left thousands of passwords exposed on the internet, accessible to the public via a simple Google search.
The trove of stolen data was uncovered by a joint team at Check Point Research and Otorio, which ascertained the data originated via a phishing email campaign masquerading as notifications sent by Xerox scanners.
The campaign emails prompted users to open a malicious HTML attachment which bypassed Microsoft Office 365’s Advanced Threat Protection filters. The campaign took place in August 2020, targeting the construction and energy sectors.
However, the attackers stored the credentials in designated webpages on compromised servers that were not only accessible to the internet, but also indexed by Google.
Effectively, this meant the stolen credentials were available to anybody who queried Google for one of the email addresses associated with them – a gift to any opportunistic attackers who happened upon them.
“We tend to believe that when someone steals our passwords, the worst-case scenario is that the information will be used by hackers who exchange them through the dark net. But not in this case – anyone could have had access to the information stolen,” said Check Point head of threat intelligence Lotem Finkelsteen.
“The strategy of the attackers was to store stolen information on a specific webpage they had created. That way, after the phishing campaigns ran for a certain time, the attackers could scan the compromised servers for the respective webpages, collecting credentials to steal.
“The attackers didn’t think that if they were able to scan the internet for those pages, Google could too. This was a clear operation security failure for the attackers,” said Finkelsteen.
The lessons of this incident are twofold: a timely reminder for security teams to pay more attention to basic operational security practice when handling any kind of data; and to safeguard users against phishing attacks – after all, none of the data would have leaked at all if nobody at the target organisations had opened the suspicious email attachments in the first place.
As ever, the advice to users is easy to follow:
- Check domains, being wary of lookalike domains, spelling errors in emails or websites, or unfamiliar email senders.
- Be sceptical of unknown senders and cautious with any files they might send you, especially if they prompt action on your part.
- Use authentic sources – accessed via a search engine rather than clicking on a link in an email – to get what you need.
- Beware of special offers, particularly those that don’t seem reliable or trustworthy opportunities, or anything that seems too good to be true.
- Finally, do not re-use passwords between different online applications and accounts.