Threat actors' use of Cloudflare R2 to host phishing pages has witnessed a 61-fold increase over the past six months. The majority of the phishing campaigns target Microsoft login credentials, although some pages are targeting Adobe, Dropbox, and other cloud apps, was recently reported by security researchers. Cloudflare R2, analogous to Amazon Web Service S3, Google Cloud Storage, and Azure Blob Storage, is a data storage service for the cloud.[1]
Cloudflare R2 is a zero-egress distributed object storage that allows developers to store large amounts of unstructured data without the costly egress bandwidth fees associated with typical cloud storage services. It is designed for the edge and offers the ability to store large amounts of data, expanding what’s possible with Cloudflare while slashing the egress bandwidth fees associated with cloud provider storage to zero. Cloudflare’s R2 Storage will allow developers to decrease their cloud provider egress and storage bills. R2 builds on Cloudflare’s commitment to the Bandwidth Alliance, providing zero-cost egress for stored objects no matter your request rate. Egress bandwidth is often the largest charge for developers utilizing object storage and is also the hardest to predict.
The development comes as the total number of cloud apps from which malware downloads originate has increased to 167, with Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly taking the top five spots. The phishing campaigns identified by Netskope not only abuse Cloudflare R2 to distribute static phishing pages but also leverage the company's Turnstile offering, a CAPTCHA replacement, to place such pages behind anti-bot barriers to evade detection. Doing so prevents online scanners like urlscan.io from reaching the actual phishing site, as the CAPTCHA test results in a failure.
As an additional layer of detection evasion, the malicious sites are designed to load the content only when certain conditions are met. The malicious website requires a referring site to include a timestamp after a hash symbol in the URL to display the actual phishing page. On the other hand, the referring site requires a phishing site passed on to it as a parameter.
If no URL parameter is passed to the referring site, visitors are redirected to www.google[.]com. The development comes a month after cybersecurity investigators disclosed details of a phishing campaign that was found hosting its bogus login pages in AWS Amplify to steal users' banking and Microsoft 365 credentials, along with card payment details via Telegram's Bot API.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2023/08/cybercriminals-abusing-cloudflare-r2.html
Comments