Google Searches Expose Stolen Corporate Credentials

Attackers behind a recently discovered phishing campaign have unintentionally left more than 1,000 stolen credentials available online via simple Google searches, researchers have found. The campaign, which began in August 2020, used e-mails that spoof notifications from Xerox scans to lure victims into clicking on malicious HTML attachments, according to a report from Check Point Research released Thursday. Check Point worked with security firm Otorio to uncover the campaign, which managed to bypass Microsoft Office 365 Advanced Threat Protection (ATP) filtering to steal more than 1,000 corporate credentials, researchers said. While this is and of itself is not atypical of phishing campaigns, attackers made a “simple mistake in their attack chain” that left the credentials they’d stolen exposed to the “public Internet, across dozens of drop-zone servers used by the attackers,” researchers said. Usually credentials are the crown jewels of an attack, something threat actors keep for themselves so they can sell them on the dark web for profit or use them for their own nefarious purposes. However, in this campaign, “with a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attackers,” researchers wrote. This is because the attackers stored the stolen credentials in designated webpages on compromised servers, said Lotem Finkelsteen, head of threat intelligence for Check Point Software….

Source