The Trust Trap: When Your Cloud Technology Turns into a Phishing Paradise

Potech
4 min readJul 29, 2024

--

Keywords: Phishing Websites, Fraud, Scamming, Cloud Technology, Cloud Computing, Phishing Threat, Social Engineering, Fake Websites, Digital Risk Protection, AWS (Amazon Web Services), Cloudflare WAF (Web Application Firewall), Darkivore

Imagine this: you trust a cloud platform with your data, only to discover it’s become a breeding ground for scammers. This isn’t science fiction, this is the new reality of scamming and phishing attacks in the cloud.

Scamming Goes Cloud-Hopping; how Convenience Breeds Danger!

Cloud technology has undeniably revolutionized data access. But with this new convenient access, comes a hidden threat: Phishing scams. Cybercriminals exploit the system by creating fake websites that perfectly mimic legitimate ones — hosted on trusted platforms like AWS — through which these imposters trick unsuspecting users into revealing login credentials or falling victims to investment scams.

The Chameleon Cloud — Why Phishing on Cloud Platforms is Scary.

Traditional security measures like mailfilters, Webfilters and EDR software often fail against these sophisticated attacks for two key reasons:

1. Trusted Platforms as a Disguise: Attackers leverage the inherent credibility of cloud service providers like AWS, making it difficult to distinguish a fake site from a real one.

2. Hidden in Plain Sight: Phishing sites can even have domains purchased from trustworthy registrars, as well as reputable HTTPS certificates, which were once considered a sign of legitimacy. This “Trust Trap” makes even tech-savvy users vulnerable.

A Case Study: When AWS & Cloudflare Became Scamming & Phishing Hotspots.

Here’s a real-life example of how this unfolds. During a routine security scan for a client, our Darkivore platform discovered phishing and scamming websites masquerading as the client’s legitimate site. Shockingly, these fraudulent sites were hosted on AWS and even protected by Cloudflare WAF services! Further investigation revealed that the same server housed over 1,700 other phishing sites, all impersonating various entities across Central Asia, Europe and the US.

The hackers had built a robust infrastructure to shield their operations and conduct malicious activities with minimal disruption or detection from cloud service providers. Their astute setup employed multi-layered concealing techniques:

· WAF/CDN as a smokescreen: To mask their backend infrastructure, the attackers used a CloudFlare WAF (Web Application Firewall) and CDN (Content Delivery Network) to proxy their domains. Imagine a WAF/CDN as a gatekeeper that filters incoming traffic before it reaches the actual website. By using this service, the attacker hides the true location of their malicious website.

· Geo-targeting for a tailored scam: The attackers implemented geo-location restrictions. Users or security researchers visiting the site from a country not on the target list would be presented with a harmless sample page. In contrast, targeted victims from specific countries would land on phishing or scamming websites. This tactic makes it incredibly difficult for security analysts to uncover the true purpose of these sites, as they might only see the benign version.

These cunning techniques demonstrate how attackers can maliciously exploit cloud services that are designed to provide security and reliability. By understanding these tactics, we can be more vigilant in protecting ourselves online.

The Challenge: Cloud Providers Snob Phishing…

In our case, despite presenting detailed evidence, AWS only removed the specific phishing pages targeting our client, while leaving the entire infrastructure hosting over 1,700 phishing sites untouched. Only after extensive back-and-forth communication did they finally take down the whole network.

Another provider, Cloudflare, took a different approach, refusing to deactivate the attacker’s nameservers or accounts, believing the issue laid at the hosting and domain level.

This highlights a crucial challenge: how can cloud service providers improve their responses to such widespread malicious activities?

While users’ awareness and caution are vital, cloud service providers have a significant role in combating these threats. Here’s how they can do better:

Sharpen Detection: Improve security frameworks to identify and remove phishing sites more effectively.

Vetting à la Loupe: Implement a stricter vetting process for new customers in order to identify potential bad actors before they abuse the platform.

Collaborate: Working closely with cybersecurity experts allows cloud providers to stay ahead of constantly evolving threats and tactics.

Fight Back! Here’s your Cloud Security Arsenal:

Do not become a victim! Here are the tools you need to combat cloud-based phishing attacks:

1. Be a Domain Detective: Scrutinize website addresses for typos or lookalike URLs. A legitimate site wouldn’t have a misspelling in its name!

2. Beware Attachments: Treat email attachments with suspicion, especially from unknown senders. Don’t download or open suspicious files.

3. Verify, Don’t Click: Avoid clicking on links directly from emails. Instead, head to the official website directly through a trusted search engine.

4. Too Good to be True? It Probably Is: Unrealistic discounts or exclusive offers are often red flags for phishing and scamming attempts. Don’t fall for the bait!

5. Password Power & MFA: Use unique and strong passwords for all your online accounts. This minimizes the damage if one account is compromised.

Securing the Cloud: A Shared Responsibility.

Spread awareness, demand action from providers, and stay informed. Together, we can turn the tide against phishing/scamming and make the cloud a trusted haven for everyone.

Stay vigilant, stay informed!

Written by Aida-Maria Abou Jaoude, Serge Sandakly and Wassim Renno.

--

--

Potech
Potech

Written by Potech

Potech offers masterful services in Information & Technology and Cybersecurity incl. engineering products, advisory, research, SOC & managed services.

No responses yet