Phishing scam had all the bells and whistles—except for one

0
47
Phishing scam had all the bells and whistles—except for one

Phishing scam had all the bells and whistles—except for one

Phishing scam had all the bells and whistles—except for one

Enlarge / The query window for username and password on a webpage can be seen on the monitor of a laptop. (credit: Jens Büttner/picture alliance via Getty Images)

Criminals behind a recent phishing scam had assembled all the important pieces. Malware that bypassed antivirus—check. An email template that got around Microsoft Office 365 Advanced Threat Protection—check. A supply of email accounts with strong reputations from which to send scam mails—check.

It was a recipe that allowed the scammers to steal more than 1,000 corporate employee credentials. There was just one problem: the scammers stashed their hard-won passwords on public servers where anyone—including search engines—could (and did) index them.

“Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers,” researchers from security firm Check Point wrote in a post published Thursday. “With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker.”

Read 8 remaining paragraphs | Comments

Source : https://arstechnica.com/?p=1736622