The file remained on the server for another week—as a honeypot. And when two Eastern European IP addresses tried to use it that Friday night, they found only a login honeypot that logged their every move before slamming the door.
Many users rename Url-Log-Pass.txt to shopping_list.txt or old_notes.doc . Attackers know this trick. Malware doesn't search by filename alone; it searches for patterns —lines of text containing @domain.com and a string of characters next to the word "pass." Url-Log-Pass.txt
: