Risk actors’ use of Cloudflare R2 to host phishing pages has witnessed a 61-fold enhance over the previous six months.
“The vast majority of the phishing campaigns goal Microsoft login credentials, though there are some pages focusing on Adobe, Dropbox, and different cloud apps,” Netskope safety researcher Jan Michael stated.
Cloudflare R2, analogous to Amazon Net Service S3, Google Cloud Storage, and Azure Blob Storage, is a knowledge storage service for the cloud.
The event comes as the full variety of cloud apps from which malware downloads originate has elevated to 167, with Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly taking the highest 5 spots.
The phishing campaigns recognized by Netskope not solely abuse Cloudflare R2 to distribute static phishing pages, but additionally leverage the corporate’s Turnstile providing, a CAPTCHA alternative, to position such pages behind anti-bot boundaries to evade detection.
In doing so, it prevents on-line scanners like urlscan.io from reaching the precise phishing website, because the CAPTCHA check leads to a failure.
As a further layer of detection evasion, the malicious websites are designed to load the content material solely when sure situations are met.
“The malicious web site requires a referring website to incorporate a timestamp after a hash image within the URL to show the precise phishing web page,” Michael stated. “Alternatively, the referring website requires a phishing website handed on to it as a parameter.”
Within the occasion no URL parameter is handed to the referring website, guests are redirected to www.google[.]com.
The event comes a month after the cybersecurity firm disclosed particulars of a phishing marketing campaign that was discovered internet hosting its bogus login pages in AWS Amplify to steal customers’ banking and Microsoft 365 credentials, together with card cost particulars through Telegram’s Bot API.