Report DIVD-2021-00004 - Leaked Phishing Credentials

Report DIVD-2021-00004 - Leaked Phishing Credentials

7 June by Célistine Oosting

Case lead Lennaert Oudshoorn Researchers: Victor Gevers, Frank Voelkel, Célistine Oosting

On the 9th of April, 2021, an independent researcher came to the DIVD with a dataset containing email addresses, passwords, among other data such as IPv4 addresses he obtained via logs of a weakly secured phishing campaign site.

This specific campaign was active around the 22nd of March and was registered prior to that date. Its target was mainly US-based company employees that used Microsoft Active Directory Federation Services (ADFS) for corporate sign-in. At the time the data reached us, the campaign seemed no longer active and was already flagged by major browsers such as Google Chrome.

On the 7th of May, 2021, after discussing what to do with cases like this, we came to the conclusion that the best thing to do would be reporting it to the victims of the attack. Thus we started processing the data internally to prepare for mailing to the victims about their leaked credentials as well as giving some potential advice that could help them mitigate risks in the future.

Internally we discussed what the best way to write such emails would be, as in this case, all victims were from English-speaking countries. Therefore the emails were only sent in English. The case page and blogs were to be written in Dutch and English, however. There also was a little hick-up with some information as at first it wasn’t entirely clear to the researchers whether it was a third-party researcher or a researcher belonging to one of our partner organizations, who informed us.

On the 9th of May, 2021, the first email notifications were sent to the victims of the phishing campaign. A day later, on the 10th of May, 2021, all notifications were sent to the victims. A total of about 60 to 70 emails were sent to the victims of the campaign.

As there was no new information to the information we had and the victims were already informed, as far as we could tell after sending out the emails, the case was closed on the 10th of May, 2021. All researchers deleted their local data, if they had any, on the same day, with only report writing waiting to be done.

As of the 7th of June, 2021, there was no report written yet on this case, which has been done now. For some of the researchers, outside of the case lead, working on this case, it was their first time, as such this case was a good way to learn some of the ropes on reporting and the internal processes around this.