Attackers Using Microsoft Azure Cloud

Wednesday, April 30, 2014 @ 05:04 PM gHale


Microsoft’s Azure cloud platform appears to be suffering at the hands of attackers who host phishing web sites.

Phishing web sites can deploy either on newly registered domains or on compromised web sites. However, using certain services can ensure the phishing operation is more efficient and it stays alive for a longer period.

RELATED STORIES
Vulnerabilities in Cloud Services
Privacy at Risk with ‘Secure’ Cloud Storage
Holes in Oracle’s Java Cloud Service
Flaw in Microsoft Cloud Offering

Attackers started abusing the 30-day free trial offered by Microsoft for the Azure platform, said researchers at Netcraft. Attackers also use compromised Microsoft accounts and virtual machines running on Azure to host their phishing sites, but they appear to prefer abusing the 30-day trial.

Considering that phishing pages are usually active only for a few days before they end up flagged or removed, 30 days is more than enough.

Users who sign up for the 30-day trial get $200 worth of credit. While this method requires them to provide credit card details and a valid phone number, attackers don’t seem to be too concerned about this.

The payment card data can end up obtained from previous phishing attacks or it can end up purchased from cybercrime markets. As far as the phone number goes, it’s a bit trickier, since authorities might be able to track them down based on this information. On the other hand, the phishers can use pre-paid SIM cards.

Netcraft identified several phishing pages hosted on Azure, including ones targeting customers of Apple, PayPal, Visa, American Express, Cielo and Comcast.

Most of the phishing sites end up hosted on the azurewebsites.net subdomain offered for free by Microsoft. Cloudapp.net subdomains, which are for cloud apps and virtual machines, are also available, but they don’t appear to be as popular.

Many of the subdomains registered by attackers see use for phishing schemes. Examples include paypalsecurity, cielo-2014, login-comcastforceauthn, www22online-americanexpress and itune-billing2update-ssl-apple.

When they register a website on Azure, attackers can also use SSL certificates. This gives the phishing sites more credibility.



Leave a Reply

You must be logged in to post a comment.