Over the previous six months, there was a big enhance in menace actors utilizing Cloudflare R2 to host phishing pages. Most of these campaigns goal Microsoft login credentials, however different cloud apps corresponding to Adobe and Dropbox are additionally being focused. Cloudflare R2 is an information storage service for the cloud comparable to Amazon Web Service S3, Google Cloud Storage, and Azure Blob Storage.
The whole quantity of cloud apps from which malware downloads originate has risen to 167, with Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly being the highest 5 sources. Not solely do these phishing campaigns abuse Cloudflare R2 to distribute static phishing pages, however additionally they use Cloudflare’s Turnstile providing to place the pages behind anti-bot obstacles, evading detection. This prevents on-line scanners from reaching the precise phishing website because the CAPTCHA check fails.
To additional evade detection, the malicious websites are designed to load content material solely when particular situations are met. For instance, the phishing website requires a parameter to be handed to the referring website, and if no parameter is handed, guests are redirected to www.google.com.
This enhance in phishing campaigns utilizing Cloudflare R2 comes after a earlier disclosure by a cybersecurity firm, which discovered a phishing marketing campaign internet hosting pretend login pages in AWS Amplify to steal customers’ banking and Microsoft 365 credentials, in addition to card payment particulars by way of Telegram’s Bot API.
Source hyperlink