Checkpoint experts discovered a large phishing campaign carried out by an unknown cybercriminal group since last August. Its hackers sent out emails to corporate users posing as automatic notifications from office scanners and copiers. These emails contained a blurry and unreadable copy of a document; in order to read and download it, users had to click the link and enter their password.
The links led to phishing websites in the .XYZ new gTLD. Of course, the hackers captured all the passwords entered there. Despite the seemingly simple scheme, it was quite effective and managed to bypass the protective mechanisms of Microsoft Office 365 Advanced Threat Protection. Over several months, cybercriminals managed to steal over 1,000 passwords from large companies’ networks.
The hackers were eventually betrayed by their own carelessness. They forgot to provide reliable protection for the stolen account information. As a result, the file containing the credentials was indexed by the Google search engine and can be accessed by absolutely everyone. In a sense, this made the attack even more dangerous, because now not only the organizers can take advantage of its results. On the other hand, this led to the immediate discovery of the entire campaign. Fortunately, the .XYZ registry was among the first to respond. It promptly blocked nearly 30 domains involved in the phishing campaign, thus putting an end to the illegal activities.
