14 DAY TRIAL // Cybercriminals are increasingly abusing Micorosft’s Azure cloud platform to host their phishing websites. Experts highlight the fact that there are several advantages to using this service.
Phishing websites can be deployed either on newly registered domains or on compromised websites. However, using certain services can ensure that the phishing operation is more efficient and it stays alive for a longer period.
Experts from Netcraft warn that cybercriminals have started abusing the 30-day free trial offered by Microsoft for the Azure platform. Cybercrooks can also use compromised Microsoft accounts and virtual machines running on Azure to host their phishing sites, but they appear to prefer abusing the 30-day trial.
Considering that phishing pages are usually active only for a few days tops before being flagged or removed, 30 days is more than enough for the cybercriminals.
Users who sign up for the 30-day trial get $200 worth of credit. While this method requires them to provide credit card details and a valid phone number, fraudsters don’t seem to be too concerned about this.
The payment card data can be obtained from previous phishing attacks or it can be purchased from cybercrime markets. As far as the phone number is concerned, it’s a bit trickier, since authorities might be able to track them down based on this information. On the other hand, the phishers can use pre-paid SIM cards to make sure they can’t be traced.
Netcraft has identified several phishing pages hosted on Azure, including ones targeting customers of Apple, PayPal, Visa, American Express, Cielo and Comcast.
Most of the phishing sites are hosted on the azurewebsites.net subdomain offered for free by Microsoft. Cloudapp.net subdomains, which are used for cloud apps and virtual machines, are also available, but they don’t appear to be as popular among cybercriminals.
Many of the subdomains registered by cybercrooks are clearly used for phishing schemes. Examples include paypalsecurity, cielo-2014, login-comcastforceauthn, www22online-americanexpress and itune-billing2update-ssl-apple.
When they register a website on Azure, fraudsters can also use SSL certificates. This gives the phishing sites more credibility. Furthermore, the SSL certificates can’t be revoked in some major browsers, particularly Firefox.
So where do the cybercriminals store the harvested data? In many cases, they use free email addresses provided by Microsoft. When they deploy the phishing sites, they configure them so that the stolen data is sent to their Live, Hotmail or Outlook email accounts from where they can easily download it at any time.
Another noteworthy aspect is that some phishers are using Azure to proxy Internet traffic when accessing the malicious website.