Cybercriminals Exposed More than 1,000 Corporate Employee Credentials on the Internet


According to a warning from technology provider Check Point, cybercriminals behind a successful phishing scheme have exposed more than 1,000 corporate employee passwords on the Internet.

As part of a phishing scheme that kicked off in August 2020, targeting thousands of organisations worldwide, corporate account passwords were compromised.

The attackers were able to successfully circumvent Microsoft Office 365 Advanced Threat Protection (ATP) filtering as part of the operation, which allowed them to collect more than a thousand victims’ credentials.

According to Check Point, “across dozens of drop-zone servers used by the attackers,” the miscreants behind the operation made a common error that ultimately resulted in the stolen passwords being widely available on the Internet.

Because of that, to locate the passwords for the leaked, stolen email addresses, someone might have used Google search.

The assault began with phishing emails masquerading as Xerox alerts, aiming to draw victims to click on a malicious HTML link, resulting in a distorted picture being presented by the browser.

However, JavaScript code running in the background would execute password checks and transfer data to attacker-controlled drop-zone servers, during which the user would be routed to a valid Office 365 login page.

In an effort to prevent any doubt from the victims and to ensure that their exploits can evade detection by antivirus vendors, Check Point also states that the attackers constantly improved the code during the operation, providing a more practical experience.

The cybercriminals used both their own networks to host phishing attack domains, as well as hundreds of hacked WordPress websites used as drop-zone servers.

Attackers typically tend to use hacked servers because of the well-known reputations of the latest websites instead of their own networks. The more commonly known a credibility is, the greater the probability that security providers will not block the email,” explains Check Point.

The stolen data was contained in publicly available files until submitted to the drop-zone servers, hence indexable by Google, meaning that anybody may have found the stolen email address credentials via the popular search engine.

Check Point says it alerted Google about the issue, and “victims can now use Google search to search for their stolen credentials and change their passwords accordingly.”

While IT, healthcare, real estate, development, education, transportation, financial services, and retail organisations were also targeted, the initiative seems to have been specifically targeted at energy and construction firms.

The Strategies, Techniques, and Procedures (TTPs) research used in this campaign helped Check Point to detect a similar series of phishing attacks that were carried out in May 2020, but were diverted to another edition of the phishing page of Office 365.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.