Recent findings by cybersecurity experts indicate that the use of Cloudflare R2 as a hosting platform for phishing pages has surged by 61 times in the past six months. Primarily targeting Microsoft login credentials, these phishing campaigns also encompass pages aimed at Adobe, Dropbox, and other popular cloud applications.
Cloudflare R2, a cloud-based data storage service analogous to Amazon Web Service S3, Google Cloud Storage, and Azure Blob Storage, has become a preferred choice for threat actors to carry out their malicious activities.
This worrisome trend coincides with a significant rise in the number of cloud applications linked to malware downloads, totaling 167. Notably, Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly have emerged as the top five sources. In an attempt to avoid detection, the phishing campaigns identified by Netskope not only leverage Cloudflare R2 to distribute static phishing pages but also exploit the company’s Turnstile offering, a CAPTCHA replacement. By doing so, they create anti-bot barriers that hinder online scanners like urlscan.io from accessing the phishing sites.
Interestingly, these malicious sites are designed to load content only under specific conditions, thereby evading detection even further. Netskope’s security researcher, Jan Michael, explains that the malicious website requires a referring site to include a timestamp after a hash symbol in the URL to display the actual phishing page. Conversely, the referring site relies on a phishing site passed on to it as a parameter. In cases where no URL parameter is provided to the referring site, visitors are automatically redirected to www.google.com.
This concerning development follows a previous disclosure by a cybersecurity company, which revealed details of a phishing campaign hosted on AWS Amplify. This campaign aimed to deceive users into providing their banking and Microsoft 365 credentials, as well as card payment details, by exploiting Telegram’s Bot API.