Cyber Criminals Leave Stolen Phishing Credentials in Plain Sight

Introduction

Cyber-crime is a complex landscape, but when it comes to actually launching cyber-attacks, there are three main techniques that criminals have relied on for decades to help them get around organizations’ defenses and into their networks:  phishing, credentials theft and business email compromise.  According to Verizon’s Data Breach Investigation Report, these ‘big three’ are the cause over two-thirds (67%) of all successful data breaches globally.

Check Point Research recently joined forces with Otorio to analyze and take a deep dive into a large scale phishing campaign that targeted thousands of global organizations, revealing the campaign’s overall infection chain, infrastructure and how the emails were distributed.

In August, attackers initiated a phishing campaign with emails that masqueraded as Xerox scan notifications, prompting users to open a malicious HTML attachment. While this infection chain may sound simple, it successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials.

Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers. With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses:  a gift to every opportunistic attacker.

Figure 1: Personalized HTML Phishing file example

Infection Chain

The initial attack started with one of several phishing email templates. The attacker would send an email imitating a Xerox (or Xeros) scan notification with the target’s first name or company title in the subject line.

Figure 2: Phishing email example

Once the victim double-clicked the attached HTML file, the default system browser displayed a blurred image with a preconfigured email within the document (see figure 1 above).

Throughout the campaign several other phishing page variants were used, but the blurred background image remained the same.

After the HTML file was launched, a JavaScript code would then run in the background of the document. The code was responsible for simple password checks, sending the data to the attackers’ drop-zone server, and redirecting the user to a legitimate Office 365 login page.

Figure 3: C&C address for exfiltration

Figure 4: Password verification process and redirection

Throughout the campaign, the code was continuously polished and refined, with the attackers creating a more realistic experience so the victims were less likely to have their suspicions aroused, and more likely to provide their login credentials.

By using simple techniques, the attackers were also successful in evading detection by most Anti-Virus vendors, as can be seen from the following detection rates from the latest iteration of the campaign:

Figure 5: Low detection rates for the phishing pages on VirusTotal

Infrastructure

This campaign utilized both unique infrastructure, and compromised WordPress websites that were used as drop-zone servers by the attackers.

While using a specialized infrastructure, the server would run for roughly two months with dozens of XYZ domains. These registered domains were used in the Phishing attacks.

Figure 6: Passive total domains-per-day view for drop-zone server 45.88.3.233

Figure 7: Example drop-zone domains used for phishing attacks

We discovered dozens of compromised WordPress servers that hosted the malicious PHP page (named “go.php”, “post.php”, “gate.php”, “rent.php” or “rest.php”) and processed all incoming credentials from victims of the phishing attacks.

Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations. The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors.

Email Distribution

Analyzing the different email headers used in this campaign allowed us to draw several conclusions regarding the Tactics Techniques & Procedures (TTPs) used by the attackers:

  • The emails are sent from a Linux server hosted on Microsoft’s Azure
  • The emails are often sent by using PHP Mailer 6.1.5 (latest version from Mar 19 to May 27)
  • The emails are delivered using 1&1 email servers

Attackers used compromised email accounts to distribute spam through high-reputation phishing campaigns because the emails are harder to block. In one specific campaign, we found a phishing page impersonating IONOS by 1&1, a German web hosting company. It is highly likely that the compromised IONOS account credentials were used by the attackers to send the rest of the Office 365 themed spam.

Figure 8: Alternative Phishing page

Targeted Organizations

We found that once the users’ information was sent to the drop-zone servers, the data was saved in a publicly visible file that was indexable by Google. This allowed anyone access to the stolen email address credentials with a simple Google search.

Figure 9: Example credentials format stored on a publicly available URL

The public availability of this data allowed us to create a breakdown of the victims according to their industry (based on a subset of ~500 stolen credentials).

Figure 10: Distribution of targets by industry

Although there was a wide distribution of targeted industries, there appears to be a special interest in Energy and Construction companies.

Previous Campaigns

We found several correlations to previous phishing activity by comparing the campaign’s TTPs. Due to the similarities, these activities were likely executed by the same attacker or group of attackers.

Figure 11: Email from a previous campaign

We discovered a phishing email from May 2020 that perfectly matched the TTP’s described above. It also used the same JavaScript encoding that was used by this campaign in August.

Figure 12: First lines of the Phishing page compared

In this older scenario, the script redirected the user to another variant of an Office 365 phishing page that was not entirely encoded within the initial HTML file.

Figure 13: Phishing page from an older campaign via Urlscan

Google search engine algorithm naturally indexes the internet, and that is what makes it the most popular search engine ever invented. Thanks to its powerful algorithm, it also capable of indexing the hackers pages where they temporarily store the stolen credentials. We informed Google for them indexing the hackers’ failures and victims now can use Google search capabilities to look for their stolen credentials and change their passwords accordingly.

The XYZ Registry’s Anti-Abuse Team suspended the associated .xyz domains immediately upon receiving this information from Check Point and confirming the abuse.

Conclusion

Our analysis of this campaign highlights the efforts that attackers will make to conceal their malicious intentions, bypass security filtering and trick users. To protect yourself against this type of attack, be suspicious of any email or communication from a familiar brand or organization that asks you to click on a link or open an attached document. Here are some practical tips to help keep your data safe:

  1. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
  2. Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
  3. Ensure you are ordering goods from an authentic source. One way to do this is to NOT click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
  4. Beware of “special” offers that don’t appear to be reliable or trustworthy purchase opportunities.
  5. Make sure you do not reuse passwords between different applications and accounts.

Organizations should prevent zero-day attacks with an end-to-end cyber architecture, to block deceptive phishing sites and provide alerts on password reuse in real time. Check Point Infinity is effective because it combines two key ingredients: full convergence across all attack surfaces and all attack vectors, and advanced prevention that can tackle the most sophisticated zero-day phishing and account takeover attacks.

Indicators of Compromise

C&C domains registered by the attacker

aauths[.]xyz

asklogzswq[.]xyz

bdqopt[.]xyz

drakovexlogz[.]xyz

hrekre[.]xyz

ionlineforyou[.]xyz

itsthebestasajob[.]xyz

khetwexw[.]xyz

livestrde28[.]xyz

loggsofice[.]xyz

manonwork[.]xyz

officeautonow[.]xyz

officednslogsonline[.]xyz

quantityscape[.]xyz

redirectitto[.]xyz

rhbreeef[.]xyz

sendlivofse[.]xyz

shlivemicrosft[.]xyz

synchoilas[.]xyz

urentr[.]xyz

vintageredwe[.]xyz

wegoforyou[.]xyz

weworkhard[.]xyz

workingoni[.]xyz

zixzanwe[.]xyz

mtietw[.]xyz

justgoturwork[.]xyz

froffisse[.]xyz

Recent C&C pages on compromised servers

http://corp.uber24[.]ru/php/go.php

https://aparthotelgeres[.]pt/wp-content/plugins/1/post.php

https://expendiatus[.]xyz/post.php

https://ifultech[.]com/1/post.php

https://www.aascarrierinc[.]com/wp-includes/SimplePie/Decode/HTML/rest.php

https://silverstream-london[.]com/1/post.php

https://actorsstudio.com[.]np/wp-admin/includes/1/post.php

http://365itsos.com[.]au/wp-admin/includes/rent.php

https://www.skyblue-network[.]com/wp-includes/images/go.php

https://www.kayakingfloridakeys[.]com/wp-admin/rent.php

https://easimedic[.]com/1/post.php

https://www.aascarrierinc[.]com/wp-includes/SimplePie/Decode/HTML/rest.php

HTML Phishing pages

SHA-1:

e76eb571068c195444d0e23cbdc35fba19a95e0c

9fc656e03703994d5f144457d020db5b06469abc

79d4464c7325feb38a02726b049d6cce3d747627

44c05f4b2bb0787a9c2fcf7c36e1dab457fbe370

c1ec15c712c29dcac08660fddb0da71e94b3d04a

4933bd2fa4c9a3ea30ac479a738ebcdfb488044f

d098f6473f2f6bfd8e3f2f14dd56adc969e76725

a8e817fa63fe2c5bf0273f63f2267b61ce89de72

37713a64ffd1b126f8a4809e94faf9cd72538974

53c4ccab781d93eb04ff5bcfc01321c11958816c

4f309c3a8d754a3fcdfed611e4f101e6b690ddd5

cccf673f3c9c02f5f9a21346cdc91f78d94c92b3

2ac423a86d94d82cc0ecc3c508aa7a90c27a4b9c