Cloudflare R2 saw a 61x increase in the use of threat actors to host phishing pages over the past six months.
“Most phishing campaigns target Microsoft login credentials, although some pages target Adobe, Dropbox and other cloud apps,” said Netskope security researcher Jan Michael.
Cloudflare R2 is a data storage service for the cloud analogous to Amazon Web Services S3, Google Cloud Storage, and Azure Blob Storage.
The increase comes as the total number of cloud apps from where malware downloads originated has risen to 167, with Microsoft OneDrive, Squarespace, GitHub, SharePoint and Weebly making up the top five.
The phishing campaigns identified by Netskope not only abuse Cloudflare R2 to distribute static phishing pages, but also leverage the company’s Turnstile offering, a CAPTCHA replacement, to place such pages behind anti-bot barriers to evade detection.
In doing so, it prevents online scanners such as urlscan.io from accessing the actual phishing site, as the result of the CAPTCHA test fails.
As an additional layer of avoidance of detection, malicious sites are designed to load content only when certain conditions are met.
“A malicious website requires a referring site to include a timestamp after the hash symbol in the URL in order to display the actual phishing page,” Michael said. “On the other hand, the referring site needs to pass a phishing site as a parameter.”
If no URL parameters are sent to the referring site, the visitor is redirected to www.google[.]com.
The development comes a month after the cybersecurity company disclosed details of a phishing campaign that was found hosting its bogus login pages in AWS Amplify to steal users’ banking and Microsoft 365 credentials, along with card payment details via Telegram’s Bot API.