• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

Why cloud providers are top targets for phishing attacks

Author avatar of Sneha ShekarSneha Shekar
September 15, 2020 • 3 minute read
View blog >

84.7% of cyberattacks involve phishing. In such a scenario, it becomes very important to understand the various ways a phishing attack could occur. Phishing URLs are commonly found on cloud providers. This article will take you through why cloud providers are being used increasingly for phishing campaigns and what pattern an attack on these sites usually follows.

Phishing pages hosted on cloud services like Microsoft Azure can trick users into believing that they are visiting a legitimate site.

Firstly, these pages have the green lock sign displayed on the site. Users who don’t really go into the details may see the green lock symbol and think that the site is safe. However, the green lock merely symbolizes that the site is secure, which means that the traffic is encrypted, and the site itself may not necessarily be safe.

Even if a user knows this difference and decides to inspect further, the page will have a valid SSL certificate signed by Microsoft. This happens because the page is hosted on Microsoft Azure.

Moreover, many times the URL may contain windows[.]net or azurewebsites[.]net which may lead users to believe that it is a legitimate Microsoft site.

Every week we identify many phishing sites that behave in this way.

Let’s take a look at one of them:

hXXps://enq42yzh.azurewebsites.net/caiTxU/ when a user goes to this url, it shows a Microsoft login page.

Example of fake login page - Cisco Umbrella blog

The domain is registered to Microsoft, as per the WHOIS information available.

Example of fake WHOIS domain registration - Cisco Umbrella blog

The SSL certificate of the site is issued by Microsoft, which again leads the user to think the site is a legitimate one.

Example of fake SSL Certificate - Cisco Umbrella blog

However, when a user enters the login credentials on this page, the attacker gets the login ID and password, thus making the phishing attempt successful.

To see how this happens, we inspect the source code of the page. In this particular case, after the user enters login credentials and clicks on the ‘Login’ button, they are simply taken back to the login page again. The attacker gets the user credentials.

This can be seen in the source code of the page:

Example of malicious source code - Cisco Umbrella blog

In other cases, the source code may contain heavily obfuscated text. In the example below, the snippet contains text that is likely base64 encoded.

Example of obfuscated text - Cisco Umbrella blog

Here, we took one such encoded part and decoded it. The decoded JavaScript code is shown below:

Example of decoded JavaScript code - Cisco Umbrella blog

Upon analyzing the code, we can see a variable gate that is a URL: hXXps://voicecenterserved[.]azurewebsites.net/assets/gate.php.

A POST request is made to this URL through which the email and password entered by the user is sent. This destination URL is likely where the attacker stores the credentials. It acts as a C&C server. Sometimes, the link to the C&C server can be encoded in a hex string or is available directly in the page source of the site.

Example of variable gate URL as a hex string - Cisco Umbrella blog
Example of phishing source code - Cisco Umbrella blog

The credentials obtained may then be used for a number of different things. These can be used to access various accounts of the victim, sell them to various third parties, use them for a particular campaign, etc.

Phishing attacks of this type have been on the rise over the last few years. Phishing attacks targeted at SaaS and other webmail services still continue to be the biggest category of phishing (as per APWGs Q1 2020 report). By getting a user’s Microsoft or other similar SaaS login credentials, the attacker gets access to multiple accounts linked to that particular user ID. This makes the user vulnerable to a very wide threat landscape.

Conclusion

Cisco Umbrella resolves over 220 billion DNS requests daily, giving our researchers a unique view of the Internet to better identify trends on threats, faster. We are constantly finding new ways to uncover “fingerprints” that attackers leave behind and ways to build new statistical and machine learning models to automatically identify attacker infrastructure to pre-emptively neutralize it. This way, attacks can be stopped even before the specific nature of the attack is fully identified.

Interested in trying out Umbrella? Sign-up for a free 14 day trial today.

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella