Check Point Research published a blog post on Thursday, explaining the phishing campaign, in which stolen information was discarded on WordPress domains. The attackers had been targeting the construction and energy sectors.
The attack began with a fraudulent email template, mimicking Xerox/Xeros scan notifications, along with the victim’s name in the title or subject line. The messages originated from a Linux server and were sent through PHP mailer and 1&1 email servers. The hackers included an attached HTML file containing embedded JavaScript code. This had one function: covert background checks of password use. Once they detected credential input, these were harvested and the users were sent to legitimate login pages.
Check Point said: “While this infection chain may sound simple, it successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials.”
