Careless scammers leave stolen passwords exposed online

Hackers responsible for a large-scale phishing campaign unintentionally left over a thousand sets of stolen log-in credentials accessible to the public via a simple Google search.

The error was uncovered by researchers at Check Point. and Otorio. The stolen credentials were stored in designated web pages on compromised servers.

Google also indexed these pages as part of its regular web crawling which means the credentials were available to anyone who searched Google for a stolen email address.

"We tend to believe that when someone steals our passwords, the worst case scenario is that the information will be used by hackers who exchange them through the dark net," Lotem Finkelsteen, head of threat intelligence, Check Point Software says. "But not in this case: anyone could have had access to the information stolen. The strategy of the attackers was to store stolen information on a specific webpage that they created. That way, after the phishing campaigns ran for a certain time, the attackers can scan the compromised servers for the respective webpages, collecting credentials to steal. The attackers didn’t think that if they are able to scan the internet for those pages -- Google can too. This was a clear operation security failure for the attackers."

Over 1,000 sets of credentials were stolen in a phishing campaign which began in August of last year with emails that masqueraded as Xerox scan notifications. The emails prompted users to open a malicious HTML attachment that bypassed the Microsoft Office 365 Advanced Threat Protection (ATP) filtering.

You can read more on the Check Point blog.

Image credit: frank_peters / Shutterstock