Attackers Leave Stolen Credentials Searchable on Google

Operators behind a global phishing campaign inadvertently left thousands of stolen credentials accessible via Google Search.

Kelly Sheridan, Former Senior Editor, Dark Reading

January 21, 2021

3 Min Read
Dark Reading logo in a gray background | Dark Reading

The attackers behind a summer 2020 phishing campaign accidentally exposed the credentials they stole to the public Internet, where they could be discovered with a simple Google search. 

Last August, the operators launched a campaign with malicious emails disguised as Xerox scan notifications, Check Point researchers report in an analysis conducted alongside industrial cybersecurity firm Otorio. 

Recipients of these emails, which contained their first name or company title in the subject line, were prompted to open an HTML attachment. If the file was opened, a JavaScript code would run in the background to conduct password checks, send the data to the attackers' server, and redirect the victim to a legitimate Microsoft 365 login page, where they could enter credentials. 

It sounds like a simple infection chain, researchers note, but it successfully bypassed Microsoft 365 Advanced Threat Protection and stole more than 1,000 employee credentials.

Over the course of the campaign, attackers adjusted their code to make the attack seem more realistic so victims wouldn't think twice about entering their data. Simple techniques enabled them to evade most antivirus vendors, as indicated by low detection rates, the report states.

The attackers used specialized infrastructure and compromised WordPress websites as drop-zone servers. The server would run for about two months with dozens of XYZ domains, which were used in the phishing attacks. Researchers found several compromised WordPress servers that hosted the malicious PHP page and processed incoming credentials from phishing victims.

When victims' data was sent to the drop-zone servers, it was saved in a publicly visible file that could be indexed by Google. Anyone could find the stolen information with a Google search. 

Google's powerful search engine algorithm, built to index the Web, was able to index the pages where attackers were temporarily storing stolen credentials. Researchers informed Google of the incident; now victims can search for their stolen data and change passwords as needed. 

With all this information freely available, researchers analyzed roughly 500 stolen credentials and learned the greatest percentage of victims (16.7%) worked in construction. Energy (10.7%), information technology (6%), and healthcare (4.5%) followed as the most-affected industries.

They also noticed similarities with other phishing activity they say was likely conducted by the same group. These earlier campaigns had similar tactics, techniques, and procedures (TTPs) to this one: In May 2020, a phishing email that "perfectly matched" the TTPs in this campaign was designed to redirect the victim to a fraudulent Office 365 phishing page.

Red Flags to Watch For
Researchers urge readers to be wary of emails or communication from a familiar organization that asks them to open a document or click a link. They should be cognizant of lookalike domains, spelling errors, unfamiliar senders, and actions a sender may not usually request.

Online shoppers should double-check they're ordering goods from a legitimate source, they add. Instead of clicking links in promotional emails, they should instead directly access the retailer's website. Beware of so-called "special offers" that seem too good to be true, researchers say, and add an extra layer of protection by using different passwords across accounts.

About the Author

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights