A phishing campaign’s collateral damage: Stolen passwords were publicly searchable

The attackers made a mistake by not securing files once they were posted to sites set up to receive stolen data, say researchers from Check Point and Otorio.
login, password, credentials, email, phishing
(Getty Images)

A phishing campaign that targeted multiple industrial sectors in 2020 was messier than the average cybercrime operation.

The perpetrators stole more than a thousand sets of credentials from corporate employees and then accidentally exposed that data on the public internet, according to a blog post from cybersecurity firm Check Point.

The attackers made a “simple mistake in their attack chain,” the researchers said, by not securing the files once they were posted to sites set up to receive stolen data.

The end result was an otherwise successful hacking operation that could have been undercut by sloppiness: A victim or an identity theft prevention system could have stumbled upon the breached data; or another set of crooks could have found the stolen credentials before the original attackers had a chance to sell or use them.


“We found that once the users’ information was sent to the drop-zone servers, the data was saved in a publicly visible file that was indexable by Google,” Check Point said. “This allowed anyone access to the stolen email address credentials with a simple Google search.”

Check Point does not attribute the phishing efforts to any group, but notes that the perpetrators were able to avoid detection by Microsoft Office 365 Advanced Threat Protection and other antivirus tools. The campaign began in August 2020 but shared similarities to a phishing email discovered in May, the researchers said.

Targets included companies in the construction and energy sectors, and to a lesser extent, information technology (IT), real estate and health care companies. Otorio, an Israel-based industrial cybersecurity company, partnered with Check Point on the research.

The attackers sent emails that masqueraded as notifications from Xerox scanners, prompting recipients to open a malicious HTML attachment that looked like a proper login page but was built to harvest credentials.

“Throughout the campaign, the code was continuously polished and refined, with the attackers creating a more realistic experience so the victims were less likely to have their suspicions aroused, and more likely to provide their login credentials,” Check Point said.


The command-and-control servers were .xyz domains that were unique to the operation, the researchers said, and the drop-zone servers were generally WordPress sites that had been compromised with a malicious PHP page.

Latest Podcasts