Google Indexed Stolen Data Because The Hackers Forgot To Secure Them

22/01/2021

One of the best way to store information so they can be retrieved remotely, is by putting them on the internet.

Hackers do that too, as when they possess valuable stolen user data, they also want that data to be easily shared to those they want to share it with.

In a massive phishing campaign that has been running for more than half a year using dozens of domains, hackers have been stealing sensitive information from organizations worldwide, by making fraudulent Microsoft Office 365 login requests.

The campaign has been successful in bypassing email protection filters and collected at least 1,000 login credentials for corporate Office 365 accounts.

The hackers have also compromised legitimate WordPress servers to host malicious PHP pages and delivered them to victims.

But unfortunately for the hackers, they forgot to protect their loot.

Since anything placed on the web will have an address, the blunder in protecting the URL allowed Google Search to crawl and index the stolen passwords for the public internet.

Hacker blunder.
Example credentials format stored on a publicly available URL that is indexed by Google.

In a blog post, the researchers at cybersecurity companies Check Point and Otorio said that:

"Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers. With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker."

They said that the hackers exfiltrated the information to domains they had registered specifically for the job.

However, they made a mistake when they put the data in a publicly visible file that Google can index.

As a result, Google Search that is always deploying its crawlers to scan the web for new information, discovered this stash, and made them show on its search engine results page for queries of a stolen email address or password.

"Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations," the researchers explain.

Upon closer look from about 500 entries, the researchers found that the most prevalent targets of the phishing attacks were companies in the construction, energy, and IT sectors.

Hacker blunder.
The phishing page.

According to the researchers, the hackers used several phishing email themes to lure potential victims into loading the fraudulent landing pages that were specifically made to collect their Microsoft Office 365 username and password.

To make the phishing emails look legitimate and personalized, the hackers crafted them to include the target's first name or company title in the subject line, and purported to deliver a Xerox scan notification in HTML format.

When the attachment is opened in a web browser, a blurred image is overlaid by a fake Microsoft Office 365 login form. During this time, a JavaScript code runs in the background to check the validity of the credentials as the victims type.

If victims enter their correct login credential, the data will be sent to the hackers' servers, and that page will redirects the victims to the legitimate Office 365 login page as a distraction.

To keep the campaign undetected, the hackers used compromised email accounts to distribute the fraudulent messages.

While the hackers behind this campaign aren't known, the blunder in protecting the stolen data simply thwarted their months-long actions.

"Google search engine algorithm naturally indexes the internet, and that is what makes it the most popular search engine ever invented. Thanks to its powerful algorithm, it also capable of indexing the hackers pages where they temporarily store the stolen credentials. We informed Google for them indexing the hackers’ failures and victims now can use Google search capabilities to look for their stolen credentials and change their passwords accordingly."