The criminals in the recent phishing scam have put together all the important content. Malware-check by bypassing antivirus. Bypass the email template-check of Microsoft Office 365 Advanced Threat Protection. An email account with good reputation from which to send scam mail (check).
This is a way for crooks to steal the credentials of more than 1
Researchers from the security company Check Point wrote: “Interestingly, due to a simple error in its attack chain, the attackers behind the phishing campaign disclosed that they had stolen from the public Internet in dozens of defense zone servers used by the attackers. Evidence.” In an article published on Thursday. “With a simple Google search, anyone can find the password of a stolen stolen email address: this is a gift for every opportunistic attacker.”
Researchers at Check Point discovered this when investigating a phishing campaign that began in August. The scam email came from Xerox or Xeros. Emails were sent from addresses that had a high reputation before being hijacked, and these reputations bypass many anti-spam and anti-phishing defenses. A malicious HTML file was attached to the email, which did not trigger any of the 60 most commonly used anti-malware engines.
The email looks like this:
After clicking, the HTML file will display a document as shown below:
When the recipient was scammed and logged into a fake account, the scammers stored the credentials on dozens of WordPress sites that were compromised and turned into so-called “drag and drop zones.” This arrangement makes sense because the reputation score of the attacked site may be higher than the site owned by the attacker.
However, the attackers failed to designate these sites as restricted areas for Google and other search engines. As a result, a Web search can find the data and direct security researchers to a cache of leaked credentials.
“We found that once the user’s information is sent to the drop zone server, the data is saved in a publicly visible file that Google can index,” Check Point wrote in a post on Thursday. “This allows anyone to access the stolen email address credentials through a simple Google search.”
Based on an analysis of approximately 500 compromised vouchers, Check Point was able to subdivide the target industry as follows.
A simple web search shows that when the post is published, some data hidden on the server in the drag-and-drop zone can still be searched. Most of these passwords follow the same format, so the credentials may not belong to a real account. However, Check Point’s findings remind us that, like many other things on the Internet, stolen passwords can already be stolen.