Cybercriminals Abusing Cloudflare R2 for Hosting Phishing Pages, Experts Warn

Threat actors’ use of Cloudflare R2 to host phishing pages has witnessed a 61-fold increase over the past six months.

“The majority of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps,” Netskope security researcher Jan Michael said.

Cloudflare R2, analogous to Amazon Web Service S3, Google Cloud Storage, and Azure Blob Storage, is a data storage service for the cloud.

The development comes as the total number of cloud apps from which malware downloads originate has increased to 167, with Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly taking the top five spots.

The phishing campaigns identified by Netskope not only abuse Cloudflare R2 to distribute static phishing pages, but also leverage the company’s Turnstile offering, a CAPTCHA replacement, to place such pages behind anti-bot barriers to evade detection.

In doing so, it prevents online scanners like urlscan.io from reaching the actual phishing site, as the CAPTCHA test results in a failure.

As an additional layer of detection evasion, the malicious sites are designed to load the content only when certain conditions are met.

“The malicious website requires a referring site to include a timestamp after a hash symbol in the URL to display the actual phishing page,” Michael said. “On the other hand, the referring site requires a phishing site passed on to it as a parameter.”

In the event no URL parameter is passed to the referring site, visitors are redirected to www.google[.]com.

The development comes a month after the cybersecurity company disclosed details of a phishing campaign that was found hosting its bogus login pages in AWS Amplify to steal users’ banking and Microsoft 365 credentials, along with card payment details via Telegram’s Bot API.