Over the past half-year, there has been a significant uptick, a staggering 61-fold increase, in the utilization of Cloudflare R2 by threat actors for hosting phishing pages. According to Jan Michael, a security researcher at Netskope, these phishing campaigns primarily focus on acquiring Microsoft login credentials, although there are instances targeting Adobe, Dropbox, and various other cloud applications.
Cloudflare R2, akin to services like Amazon Web Service S3, Google Cloud Storage, and Azure Blob Storage, serves as a cloud-based data storage service.
This development coincides with a rise in the total number of cloud applications being exploited for malware distribution, which has now reached 167. The top five sources include Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly.
The phishing campaigns identified by Netskope not only employ Cloudflare R2 to disseminate static phishing pages but also make use of Cloudflare’s Turnstile feature, designed to replace CAPTCHAs, to conceal these pages behind anti-bot defenses, making detection more challenging.
By doing so, they thwart online scanners like urlscan.io from accessing the actual phishing site, as the CAPTCHA test consistently results in failure.
In addition to these evasion techniques, the malicious websites are designed to load their content only under specific conditions. As Jan Michael explains, “The malicious website requires a referring site to include a timestamp after a hash symbol in the URL to display the actual phishing page. On the other hand, the referring site requires a phishing site passed on to it as a parameter.” If no URL parameter is passed to the referring site, visitors are redirected to ww.google.com.
This development follows closely on the heels of Netskope’s disclosure of a phishing campaign that was discovered to host fraudulent login pages in AWS Amplify. These pages were used to steal users’ banking and Microsoft 365 credentials, as well as card payment information, via Telegram’s Bot API.