- Joined
- Jun 13, 2020
- Messages
- 7,907
- Reaction score
- 943
- Points
- 212
- Awards
- 2
Hackers have stolen at least 1,000 logins and passwords for logging into corporate accounts in Office 365. The
hackers, who attacked thousands of organizations around the world in a massive phishing campaign, forgot to protect their catch, and as a result it became available through Google search.
The phishing campaign, which lasted more than half a year, used dozens of domains with fake Microsoft Office 365 authorization pages. Despite the use of very simple techniques, the attackers were able to successfully bypass security filters for emails, so they collected at least 1,000 logins and passwords for authorization in corporate Microsoft Office 365 accounts.
Check Point and Otorio, who studied the phishing campaign, discovered that the hackers mistakenly made the stolen data available over the open Internet. According to experts, the attackers saved the stolen information on domains specially registered for this, but placed the data in a publicly accessible file, and the Google search engine indexed it.
The researchers also found that the attackers had compromised legitimate WordPress servers in order to use them to host phishing PHP pages. As experts explained, cybercriminals prefer to use compromised servers instead of their own infrastructure due to the good reputation of compromised sites.
After examining information from about 500 entries, the researchers were able to determine that the victims of the phishing campaign were most often companies in the construction sector (16.7%), energy (10.7%) and information technology (6.0%).
In order to lure victims to fraudulent pages, cybercriminals used several themes in phishing emails. The subject field included the victim's name or company name, and the attachment contained a scanned HTML notification.
Opening an attachment through a default web browser displayed a blurry image overlaid with a fake Microsoft Office 365 login form. “This document is password protected. Please enter your password ”, - was reported in the authorization form. The username field was already filled in with the victim's email address, and the victim did not have any suspicions.
JavaScript code running in the background authenticated the victim's credentials, sent them to a server controlled by the attackers, and redirected the victim to the real authorization page in Microsoft Office 365 to distract attention.
To bypass the detection, the hackers sent out phishing emails from compromised mailboxes. For example, in one of the attacks, cybercriminals impersonated the German hosting provider IONOS by 1 & 1. Although the phishing campaign began in August 2020, researchers also found phishing emails dated May 2020.
hackers, who attacked thousands of organizations around the world in a massive phishing campaign, forgot to protect their catch, and as a result it became available through Google search.
The phishing campaign, which lasted more than half a year, used dozens of domains with fake Microsoft Office 365 authorization pages. Despite the use of very simple techniques, the attackers were able to successfully bypass security filters for emails, so they collected at least 1,000 logins and passwords for authorization in corporate Microsoft Office 365 accounts.
Check Point and Otorio, who studied the phishing campaign, discovered that the hackers mistakenly made the stolen data available over the open Internet. According to experts, the attackers saved the stolen information on domains specially registered for this, but placed the data in a publicly accessible file, and the Google search engine indexed it.
The researchers also found that the attackers had compromised legitimate WordPress servers in order to use them to host phishing PHP pages. As experts explained, cybercriminals prefer to use compromised servers instead of their own infrastructure due to the good reputation of compromised sites.
After examining information from about 500 entries, the researchers were able to determine that the victims of the phishing campaign were most often companies in the construction sector (16.7%), energy (10.7%) and information technology (6.0%).
In order to lure victims to fraudulent pages, cybercriminals used several themes in phishing emails. The subject field included the victim's name or company name, and the attachment contained a scanned HTML notification.
Opening an attachment through a default web browser displayed a blurry image overlaid with a fake Microsoft Office 365 login form. “This document is password protected. Please enter your password ”, - was reported in the authorization form. The username field was already filled in with the victim's email address, and the victim did not have any suspicions.
JavaScript code running in the background authenticated the victim's credentials, sent them to a server controlled by the attackers, and redirected the victim to the real authorization page in Microsoft Office 365 to distract attention.
To bypass the detection, the hackers sent out phishing emails from compromised mailboxes. For example, in one of the attacks, cybercriminals impersonated the German hosting provider IONOS by 1 & 1. Although the phishing campaign began in August 2020, researchers also found phishing emails dated May 2020.