Risk actors’ use of Cloudflare R2 to host phishing pages has witnessed a 61-fold enhance over the previous six months.
“The vast majority of the phishing campaigns goal Microsoft login credentials, though there are some pages focusing on Adobe, Dropbox, and different cloud apps,” Netskope safety researcher Jan Michael mentioned.
Cloudflare R2, analogous to Amazon Net Service S3, Google Cloud Storage, and Azure Blob Storage, is a knowledge storage service for the cloud.
The event comes as the entire variety of cloud apps from which malware downloads originate has elevated to 167, with Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly taking the highest 5 spots.
The phishing campaigns recognized by Netskope not solely abuse Cloudflare R2 to distribute static phishing pages, but additionally leverage the corporate’s Turnstile providing, a CAPTCHA substitute, to put such pages behind anti-bot obstacles to evade detection.
In doing so, it prevents on-line scanners like urlscan.io from reaching the precise phishing web site, because the CAPTCHA take a look at leads to a failure.
As a further layer of detection evasion, the malicious websites are designed to load the content material solely when sure circumstances are met.
“The malicious web site requires a referring web site to incorporate a timestamp after a hash image within the URL to show the precise phishing web page,” Michael mentioned. “However, the referring web site requires a phishing web site handed on to it as a parameter.”
Within the occasion no URL parameter is handed to the referring web site, guests are redirected to www.google[.]com.
The event comes a month after the cybersecurity firm disclosed particulars of a phishing marketing campaign that was discovered internet hosting its bogus login pages in AWS Amplify to steal customers’ banking and Microsoft 365 credentials, together with card fee particulars through Telegram’s Bot API.
