Over 80 percent of cyberattacks involve phishing. In such a scenario, it becomes very important to understand the various ways a phishing attack could occur. Phishing URLs are commonly found on cloud providers. This article will take you through why cloud providers are being used increasingly for phishing campaigns and what pattern an attack on these sites usually follows.
Phishing pages hosted on cloud services like Microsoft Azure can trick users into believing that they are visiting a legitimate site.
Firstly, these pages have the green lock sign displayed on the site. Users who don’t really go into the details may see the green lock symbol and think that the site is safe. However, the green lock merely symbolizes that the site is secure, which means that the traffic is encrypted, and the site itself may not necessarily be safe.
Even if a user knows this difference and decides to inspect further, the page will have a valid SSL certificate signed by Microsoft. This happens because the page is hosted on Microsoft Azure.
Moreover, many times the URL may contain windows[.]net or azurewebsites[.]net which may lead users to believe that it is a legitimate Microsoft site.
Let’s look at an example:
hXXps://enq42yzh.azurewebsites.net/caiTxU/ when a user goes to this URL, it shows a Microsoft login page.
The domain is registered to Microsoft, as per the WHOIS information available.
The SSL certificate of the site is issued by Microsoft, which again leads the user to think the site is a legitimate one.
However, when a user enters the login credentials on this page, the attacker gets the login ID and password, thus making the phishing attempt successful.
To see how this happens, we inspect the source code of the page. In this particular case, after the user enters login credentials and clicks on the ‘Login’ button, they are simply taken back to the login page again. The attacker gets the user credentials.
This can be seen in the source code of the page:
In other cases, the source code may contain heavily obfuscated text. In the example below, the snippet contains text that is likely base64 encoded.
Here, we took one such encoded part and decoded it. The decoded JavaScript code is shown below:
Upon analyzing the code, we can see a variable gate that is a URL: hXXps://voicecenterserved[.]azurewebsites.net/assets/gate.php.
A POST request is made to this URL through which the email and password entered by the user is sent. This destination URL is likely where the attacker stores the credentials.
The credentials obtained may then be used for a number of different things. These can be used to access various accounts of the victim, sell them to various third parties, use them for a particular campaign, et cetera.
Keep in mind, this is actually a low effort example of this. There are more complex and convincing ways in which this can be carried out by bad actors.
Phishing attacks of this type have been on the rise over the last few years. Phishing attacks targeted at SaaS and other webmail services still continue to be the biggest category of phishing. By getting a user’s Microsoft or other similar SaaS login credentials, the attacker gets access to multiple accounts linked to that particular user ID. This makes the user vulnerable to a very wide threat landscape.
To ensure you stay protected, or to explore your DNS security options, contact Tigunia today.