With each day, month, and year that passes, it’s clear that cyberattacks are just not going away. Any business, person, or industry can be attacked at any given time. The latest is a phishing scam that attacked major industries, such as construction, and exposed login credentials through Google search.
Phishing Scam Exposed Through Google
Check Point Research alerted the world through a blog post that stolen login credentials from major industries were released on compromised WordPress domains. It was then discovered in the most public forum possible: Google search.
It all started with emails that included employee names or titles in the subject line of fraudulent emails. The employees were from industries that include construction, IT, health care, real estate, and manufacturing. These emails mimicked Xerox/Xeros notifications that originated from a Linux server and were hosted on Microsoft Azure. Spam was sent as well through email accounts that had earlier been compromised, lending the messages legitimacy.
HTML files containing embedded JavaScript code were attached to the emails. These had just one goal: undercover background checks of passwords. When the input of login credentials was detected, they were harvested, with users being directed to login pages.
“While this infection chain may sound simple, it successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials,” according to Check Point.
The hijacked websites included in this cyberattack were built on the WordPress CMS. Check Point explained that these domains were used as “drop-zone servers” to process the stolen login credentials.
After the login credentials were sent to the drop-zone servers, it was saved in files that were then indexed by Google, making them public. They were available to anyone through a search on Google. But the servers were only used for around two months, linked to .XYZ domains.
“Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations,” explained Check Point. “The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors.”
A Warning for the Future
Evidence that was discovered shows that this particular phishing scam may have been around for some time. An email from last August was compared with the recently discovered scam, and they had the same JavaScript encoding.
It all just shows that we just can’t let our guard down. Major industries and any individual or business can be affected, and it can involve such tech giants as Google and WordPress. Nothing is ever safe when it comes to the Internet. Always be aware and take care of your information.
Read on to learn how the work-from-home trend has led to an increase in cyberattacks and fake collaboration apps.
