Summary
Netskope Threat Labs is tracking a 17x increase in traffic to malicious web pages hosted on DigitalOcean in the last six months. This increase is attributed to new campaigns of a known tech support scam that mimics Windows Defender and tries to deceive users into believing that their computer is infected. The end goal of this scam is to lure victims into calling a fake “help line”, where attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection.
In addition to the tech support scam, there has also been an increase in phishing pages hosted on DigitalOcean, targeting customers of the financial institutions America First Credit Union, Huntington, and Truist, and one phishing page targeting IONOS Webmail users.
The attacks have been targeting victims mainly in North America and Europe across different segments, led by the technology, financial services, and manufacturing sectors.
Attackers are creating free-tier DigitalOcean apps to host the scam and phishing pages. Abusing free cloud services, especially services that provide free web hosting or free object hosting, is a common technique used by attackers to host malicious content. This blog post provides a summary of what these scams and phishing pages look like, along with recommendations and threat intel you can use to protect yourself and your organization.
Tech Support Scam
How it Works
This scam works by mimicking Windows Defender alerts, luring victims into believing that their computer is infected with malware. The goal of this attack is to convince the victim to call the scammer’s phone number. Attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection. Attackers typically use malvertising to redirect victims to these scam pages.
Once the victim interacts with the webpage, the web browser’s window is maximized and an audio starts playing with the following message:
“Important security message.
Your computer has been locked up.
Your IP address was used without your knowledge or consent to visit websites that contain identity theft virus.
To unlock the computer, please call support immediately.
Please, do not attempt to shutdown or restart your computer. Doing that may lead to data loss and identity theft.
The computer lock is aimed to stop illegal activity.
Please, call our support immediately.”
These are all attempts to scare victims and force them to call the attacker’s phone number. The campaigns Netskope Threat Labs has identified all use different “themes”, but rely on the same technique. For example, below is an example that shows a fake Windows desktop in the background and a fake webchat, which eventually displays a message saying that there’s an error and asks the victim to contact the phone number instead of the chat.
We also found pages in different languages such as Japanese, showing that this is a multilingual campaign.
How is it spread across DigitalOcean?
DigitalOcean allows users to host up to three static websites for free. Since the phone number displayed on the tech scam page is dynamic and can be changed via the “phone” parameter in the URL, attackers can use different phone numbers in the same DigitalOcean instance, without changing anything in the HTML or the scripts. This also means that attackers can create multiple DigitalOcean instances and replicate the same HTML and script files, as these do not require any changes.
In the example below, we used fake numbers to illustrate how this works.
This can also be confirmed by checking VirusTotal. For example, one of the pages we analyzed is related to 87 different domains from DigitalOcean.
Although Netskope Threat Labs has been tracking attackers abusing DigitalOcean in these campaigns, there are also recent reports of similar scams where attackers are abusing Microsoft Azure to host the pages.
Phishing Pages
Netskope Threat Labs is also tracking an increase in phishing activity hosted on DigitalOcean, focused primarily on stealing sensitive financial data, like credit card and debit card numbers.
America First Credit Union
One of the targets is America First Credit Union, where attackers created a very similar phishing page compared to the original website. Although the page looks very similar, one can easily distinguish between the original website by checking the URL.