This phishing scam left thousands of stolen passwords exposed through Google search

A mistake on the part of the cyberattackers led to their discovery -- and that of the data they pillaged.
Written by Charlie Osborne, Contributing Writer

Operators of a phishing campaign targeting the construction and energy sectors exposed credentials stolen in attacks that were publicly viewable with a simple Google search. 

On Thursday, Check Point Research in partnership with Otorio published a blog post describing the campaign, in which stolen information was dumped on compromised WordPress domains. 

The recent phishing attack began with one of several fraudulent email templates and would mimic Xerox/Xeros scan notifications including a target company employee's name or title in the subject line. 

Also: Best VPNs • Best security keys • Best antivirus   

Phishing messages originated from a Linux server hosted on Microsoft Azure and were sent through PHP Mailer and 1&1 email servers. Spam was also sent through email accounts that had been previously compromised to make messages appear to be from legitimate sources. 

Attackers behind the phishing scam included an attached HTML file containing embedded JavaScript code that had one function: covert background checks of password use. When credential input was detected, they would be harvested and users would be sent to legitimate login pages. 

"While this infection chain may sound simple, it successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees' credentials," Check Point says. 

The attackers' infrastructure includes a web of websites, backed by the WordPress content management system (CMS), that were hijacked. Check Point says that each domain was used as "drop-zone servers" for processing incoming, stolen credentials. 

However, once stolen user data was sent to these servers, it was saved in files that were public and were indexed by Google -- allowing anyone to view them through a simple search. 

Each server would be in action for roughly two months and would be linked to .XYZ domains that would be used in phishing attempts. 

"Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites' well-known reputations," the team noted. "The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors."

Based on a subset of roughly 500 stolen credentials, the researchers found a wide range of target industries, including IT, healthcare, real estate, and manufacturing. However, it appears that the threat actors have a particular interest in construction and energy. 


Check Point reached out to Google and informed them of the credential indexing. 

While attribution is often a challenge, a phishing email from August 2020 was compared with the latest campaign and was found to use the same JavaScript encoding, suggesting that the group behind this wave has been in operation for some time. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards