The past six months have witnessed a staggering 61-fold increase in cybercriminals utilizing Cloudflare R2 to host phishing pages, posing a significant threat.
Netskope security researcher Jan Michael revealed that while Microsoft login credentials are the primary target of these phishing campaigns, other cloud apps like Adobe, Dropbox, and more have also been victimized. Cloudflare R2, a cloud data storage service analogous to platforms like AWS S3 and Google Cloud Storage, is at the center of this alarming trend.
As the total count of cloud apps responsible for malware downloads has risen to 167, major names like Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly have emerged as the top sources. Netskope’s investigation uncovered that these phishing campaigns go beyond utilizing Cloudflare R2 to distribute static phishing pages.
The cybercriminals behind these attacks have strategically adopted Cloudflare’s Turnstile offering, which employs a CAPTCHA replacement to hide these malicious pages behind anti-bot defenses, making detection challenging. Even online scanners like urlscan.io are hindered by the CAPTCHA test’s failure.
Adding another layer of sophistication, the malicious sites are engineered to load content under specific conditions. Netskope’s Jan Michael explained that to display the actual phishing page, a referring site must include a timestamp after a hash symbol in the URL, and the referring site must also pass a phishing site as a parameter.
If no URL parameter is provided to the referring site, visitors are redirected to www.google[.]com. This development follows closely after Netskope’s disclosure of a separate phishing campaign that exploited AWS Amplify to target users’ banking and Microsoft 365 credentials, along with card payment details using Telegram’s Bot API.
