Die Zukunft von Zero Trust und SASE ist jetzt! On-Demand ansehen

Schließen
Schließen
  • Warum Netskope? Chevron

    Verändern Sie die Art und Weise, wie Netzwerke und Sicherheit zusammenarbeiten.

  • Unsere Kunden Chevron

    Netskope bedient mehr als 3.000 Kunden weltweit, darunter mehr als 25 der Fortune 100

  • Unsere Partner Chevron

    Unsere Partnerschaften helfen Ihnen, Ihren Weg in die Cloud zu sichern.

Am besten in der Ausführung. Am besten in Sachen Vision.

Im 2023 Gartner® Magic Quadrant™ für SSE wurde Netskope als führender Anbieter ausgezeichnet.

Report abrufen
Im 2023 Gartner® Magic Quadrant™ für SSE wurde Netskope als führender Anbieter ausgezeichnet.
Wir helfen unseren Kunden, auf alles vorbereitet zu sein

Unsere Kunden
Lächelnde Frau mit Brille schaut aus dem Fenster
Die partnerorientierte Markteinführungsstrategie von Netskope ermöglicht es unseren Partnern, ihr Wachstum und ihre Rentabilität zu maximieren und gleichzeitig die Unternehmenssicherheit an neue Anforderungen anzupassen.

Erfahren Sie mehr über Netskope-Partner
Gruppe junger, lächelnder Berufstätiger mit unterschiedlicher Herkunft
Ihr Netzwerk von morgen

Planen Sie Ihren Weg zu einem schnelleren, sichereren und widerstandsfähigeren Netzwerk, das auf die von Ihnen unterstützten Anwendungen und Benutzer zugeschnitten ist.

Whitepaper lesen
Ihr Netzwerk von morgen
Vorstellung der Netskope One-Plattform

Netskope One ist eine cloudnative Plattform, die konvergierte Sicherheits- und Netzwerkdienste bietet, um Ihre SASE- und Zero-Trust-Transformation zu ermöglichen.

Erfahren Sie mehr über Netskope One
Abstrakt mit blauer Beleuchtung
Nutzen Sie eine Secure Access Service Edge (SASE)-Architektur

Netskope NewEdge ist die weltweit größte und leistungsstärkste private Sicherheits-Cloud und bietet Kunden eine beispiellose Serviceabdeckung, Leistung und Ausfallsicherheit.

Mehr über NewEdge erfahren
NewEdge
Netskope Cloud Exchange

Cloud Exchange (CE) von Netskope gibt Ihren Kunden leistungsstarke Integrationstools an die Hand, mit denen sie in jeden Aspekt ihres Sicherheitsstatus investieren können.

Erfahren Sie mehr über Cloud Exchange
Netskope-Video
  • Edge-Produkte von Security Service Chevron

    Schützen Sie sich vor fortgeschrittenen und cloudfähigen Bedrohungen und schützen Sie Daten über alle Vektoren hinweg.

  • Borderless SD-WAN Chevron

    Stellen Sie selbstbewusst sicheren, leistungsstarken Zugriff auf jeden Remote-Benutzer, jedes Gerät, jeden Standort und jede Cloud bereit.

  • Secure Access Service Edge Chevron

    Netskope One SASE bietet eine Cloud-native, vollständig konvergente SASE-Lösung eines einzelnen Anbieters.

Die Plattform der Zukunft heißt Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) und Private Access for ZTNA sind nativ in einer einzigen Lösung integriert, um jedes Unternehmen auf seinem Weg zum Secure Access Service zu unterstützen Edge (SASE)-Architektur.

Netskope Produktübersicht
Netskope-Video
Next Gen SASE Branch ist hybrid – verbunden, sicher und automatisiert

Netskope Next Gen SASE Branch vereint kontextsensitives SASE Fabric, Zero-Trust Hybrid Security und SkopeAI-Powered Cloud Orchestrator in einem einheitlichen Cloud-Angebot und führt so zu einem vollständig modernisierten Branch-Erlebnis für das grenzenlose Unternehmen.

Erfahren Sie mehr über Next Gen SASE Branch
Menschen im Großraumbüro
Entwerfen einer SASE-Architektur für Dummies

Holen Sie sich Ihr kostenloses Exemplar des einzigen Leitfadens zum SASE-Design, den Sie jemals benötigen werden.

Jetzt das E-Book lesen
Steigen Sie auf marktführende Cloud-Security Service mit minimaler Latenz und hoher Zuverlässigkeit um.

Mehr über NewEdge erfahren
Beleuchtete Schnellstraße mit Serpentinen durch die Berge
Ermöglichen Sie die sichere Nutzung generativer KI-Anwendungen mit Anwendungszugriffskontrolle, Benutzercoaching in Echtzeit und erstklassigem Datenschutz.

Erfahren Sie, wie wir den Einsatz generativer KI sichern
ChatGPT und Generative AI sicher aktivieren
Zero-Trust-Lösungen für SSE- und SASE-Deployments

Erfahren Sie mehr über Zero Trust
Bootsfahrt auf dem offenen Meer
Netskope erhält die FedRAMP High Authorization

Wählen Sie Netskope GovCloud, um die Transformation Ihrer Agentur zu beschleunigen.

Erfahren Sie mehr über Netskope GovCloud
Netskope GovCloud
  • Ressourcen Chevron

    Erfahren Sie mehr darüber, wie Netskope Ihnen helfen kann, Ihre Reise in die Cloud zu sichern.

  • Blog Chevron

    Erfahren Sie, wie Netskope die Sicherheits- und Netzwerktransformation durch Security Service Edge (SSE) ermöglicht

  • Events und Workshops Chevron

    Bleiben Sie den neuesten Sicherheitstrends immer einen Schritt voraus und tauschen Sie sich mit Gleichgesinnten aus

  • Security Defined Chevron

    Finden Sie alles was Sie wissen müssen in unserer Cybersicherheits-Enzyklopädie.

Security Visionaries Podcast

Zero Trust: Es ist mehr als nur Identität
In dieser Folge untersucht Moderatorin Emily Wearmouth das Konzept von Zero Trust zusammen mit den Cybersicherheitsexperten John Kindervag, dem „Pate von Zero Trust“, und Neil Thacker.

Podcast abspielen
Zero Trust: Es ist mehr als nur Identität
Neueste Blogs

Lesen Sie, wie Netskope die Zero Trust- und SASE-Reise durch Security Service Edge (SSE)-Funktionen ermöglichen kann.

Den Blog lesen
Sonnenaufgang und bewölkter Himmel
SASE Week 2023: Ihre SASE-Reise beginnt jetzt!

Wiederholungssitzungen der vierten jährlichen SASE Week.

Entdecken Sie Sitzungen
SASE Week 2023
Was ist Security Service Edge?

Entdecken Sie die Sicherheitselemente von SASE, die Zukunft des Netzwerks und der Security in der Cloud.

Erfahren Sie mehr über Security Service Edge
Kreisverkehr mit vier Straßen
  • Unternehmen Chevron

    Wir helfen Ihnen, den Herausforderungen der Cloud-, Daten- und Netzwerksicherheit einen Schritt voraus zu sein.

  • Leadership Chevron

    Unser Leadership-Team ist fest entschlossen, alles zu tun, was nötig ist, damit unsere Kunden erfolgreich sind.

  • Kundenlösungen Chevron

    Wir sind für Sie da, stehen Ihnen bei jedem Schritt zur Seite und sorgen für Ihren Erfolg mit Netskope.

  • Schulung und Zertifizierung Chevron

    Netskope-Schulungen helfen Ihnen ein Experte für Cloud-Sicherheit zu werden.

Unterstützung der Nachhaltigkeit durch Datensicherheit

Netskope ist stolz darauf, an Vision 2045 teilzunehmen: einer Initiative, die darauf abzielt, das Bewusstsein für die Rolle der Privatwirtschaft bei der Nachhaltigkeit zu schärfen.

Finde mehr heraus
Unterstützung der Nachhaltigkeit durch Datensicherheit
Denker, Architekten, Träumer, Innovatoren. Gemeinsam liefern wir hochmoderne Cloud-Sicherheitslösungen, die unseren Kunden helfen, ihre Daten und Mitarbeiter zu schützen.

Lernen Sie unser Team kennen
Gruppe von Wanderern erklimmt einen verschneiten Berg
Das talentierte und erfahrene Professional Services-Team von Netskope bietet einen präskriptiven Ansatz für Ihre erfolgreiche Implementierung.

Erfahren Sie mehr über professionelle Dienstleistungen
Netskope Professional Services
Mit Netskope-Schulungen können Sie Ihre digitale Transformation absichern und das Beste aus Ihrer Cloud, dem Web und Ihren privaten Anwendungen machen.

Erfahren Sie mehr über Schulungen und Zertifizierungen
Gruppe junger Berufstätiger bei der Arbeit

Attackers Increasingly Abusing DigitalOcean to Host Scams and Phishing

Mar 09 2023

Summary

Netskope Threat Labs is tracking a 17x increase in traffic to malicious web pages hosted on DigitalOcean in the last six months. This increase is attributed to new campaigns of a known tech support scam that mimics Windows Defender and tries to deceive users into believing that their computer is infected. The end goal of this scam is to lure victims into calling a fake “help line”, where attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection.

In addition to the tech support scam, there has also been an increase in phishing pages hosted on DigitalOcean, targeting customers of the financial institutions America First Credit Union, Huntington, and Truist, and one phishing page targeting IONOS Webmail users.

The attacks have been targeting victims mainly in North America and Europe across different segments, led by the technology, financial services, and manufacturing sectors.

Presence of DigitalOcean Abuse by Sector

Attackers are creating free-tier DigitalOcean apps to host the scam and phishing pages. Abusing free cloud services, especially services that provide free web hosting or free object hosting, is a common technique used by attackers to host malicious content. This blog post provides a summary of what these scams and phishing pages look like, along with recommendations and threat intel you can use to protect yourself and your organization.  

Tech Support Scam

How it Works

This scam works by mimicking Windows Defender alerts, luring victims into believing that their computer is infected with malware. The goal of this attack is to convince the victim to call the scammer’s phone number. Attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection. Attackers typically use malvertising to redirect victims to these scam pages.

Tech scam attack, using a fake number as an example.

Once the victim interacts with the webpage, the web browser’s window is maximized and an audio starts playing with the following message:

“Important security message.

Your computer has been locked up.

Your IP address was used without your knowledge or consent to visit websites that contain identity theft virus.

To unlock the computer, please call support immediately.

Please, do not attempt to shutdown or restart your computer. Doing that may lead to data loss and identity theft.

The computer lock is aimed to stop illegal activity.

Please, call our support immediately.”

These are all attempts to scare victims and force them to call the attacker’s phone number. The campaigns Netskope Threat Labs has identified all use  different “themes”, but rely on the same technique. For example, below is an example that shows a fake Windows desktop in the background and a fake webchat, which eventually displays a message saying that there’s an error and asks the victim to contact the phone number instead of the chat.

Another example of the same tech scam.

We also found pages in different languages such as Japanese, showing that this is a multilingual campaign.

Same tech support scam in Japanese.

How is it spread across DigitalOcean?

DigitalOcean allows users to host up to three static websites for free. Since the phone number displayed on the tech scam page is dynamic and can be changed via the “phone” parameter in the URL, attackers can use different phone numbers in the same DigitalOcean instance, without changing anything in the HTML or the scripts. This also means that attackers can create multiple DigitalOcean instances and replicate the same HTML and script files, as these do not require any changes.

In the example below, we used fake numbers to illustrate how this works.

Example of how attackers can use different phone numbers through the same HTML and different DigitalOcean instances.

This can also be confirmed by checking VirusTotal. For example, one of the pages we analyzed is related to 87 different domains from DigitalOcean.

DigitalOcean domains related to one of the tech support scam pages.

Although Netskope Threat Labs has been tracking attackers abusing DigitalOcean in these campaigns, there are also recent reports of similar scams where attackers are abusing Microsoft Azure to host the pages.

Phishing Pages

Netskope Threat Labs is also tracking an increase in phishing activity hosted on DigitalOcean, focused primarily on stealing sensitive financial data, like credit card and debit card numbers.

America First Credit Union

One of the targets is America First Credit Union, where attackers created a very similar phishing page compared to the original website. Although the page looks very similar, one can easily distinguish between the original website by checking the URL.

Phishing page hosted on DigitalOcean vs. the original website.

Once the victim adds the login information, the attackers attempt to steal more personal information like the victim’s full name, date of birth, social security number, carrier pin, and the address.

Phishing page asking for more information.

After entering all the data above, the page then asks for the victim’s debit card number, expiration date, CVV, and the card pin.

Phishing page asking for credit card information.

Then, the phishing page attempts to steal the victim’s email address and password. This is done by simulating a third-party login after inserting the email address in the phishing page. Attackers try to take over the victim’s email in order to gain control over the account’s MFA, if enabled. The access to the victim’s email also allows attackers to attempt to reset passwords and gain access to other accounts that are linked to the same email address.

As an extra attempt to deceive the victim, the phishing page tries to simulate the login page according to the email address provided by the user. For example, if a Gmail account is detected, the phishing page simulates Google’s login page.

Phishing page trying to steal the victim’s email address and password.

The same thing happens if a Microsoft email is detected.

Phishing page simulating Microsoft’s email login.

If the email provided by the victim is not from a known service, the phishing page uses the same layout as the one used for Gmail, but without Google’s logo.

Using an unknown email service to demonstrate how the phishing page behaves.

And lastly, the victim is redirected to the legitimate website.

Original America First Credit Union website.

Huntington National Bank

The second target is Huntington National Bank, where the attack flow is similar to the America First’s phishing page.

Huntington phishing page hosted on DigitalOcean.

After stealing the username and password, the phishing page asks for the one time pin sent to the victim, as an attempt to bypass the multi-factor authentication.

Phishing page asking the one time pin sent to the victim.

Then, the phishing tries to steal the victim’s email address and password, using the same technique as the America First phishing.

Phishing page trying to steal victim’s email address and password.

The phishing campaign then attempts to steal information, such as credit card number, expiration date, CVV, pin, and social security number or tax ID.

Phishing page asking for credit card information.

Then, all personal information is requested, including full name, date of birth, phone number, carrier pin, and address.

Phishing requesting victim’s personal information.

The Huntington phishing page goes even further and requests a picture (front and back) of the victim’s ID or driver license to continue.

Phishing requesting a picture of the victim’s ID.

And finally, the phishing page redirects the user to the legitimate Huntington website after stealing all the information described above.

Phishing page redirecting the victim to Huntington’s legitimate website.

Truist

Truist Financial was also targeted, and the phishing page works exactly as the America First phishing page. It attempts to steal the Truist login and password, the victim’s personal information, credit card data, and also the victim’s email and password.

Truist phishing page hosted on DigitalOcean.

IONOS Webmail

IONOS webmail is the only phishing page in the set Netskope Threat Labs is tracking on DigitalOcean that is targeting email compromise exclusively without also targeting credentials for any financial institutions.

IONOS webmail phishing page hosted on DigitalOcean.

Conclusions

Tech support scams and phishing are a persistent problem, with attackers constantly looking for new ways to target their victims. This latest set of tech support scams and phishing pages are noteworthy because of the focused abuse of DigitalOcean and the success in reaching their victims, resulting in a 17-fold increase in blocking malicious content hosted on DigitalOcean in the Netskope platform. Netskope Threat Labs has been reporting the URLs to the targeted institutions and to DigitalOcean as they are discovered. Although DigitalOcean is promptly taking down the sites, attackers have been responding by continuing to create new ones. Netskope Threat Labs will continue to track and respond to this set of campaigns as they continue and evolve.

Recommendations

The scams and phishing pages described in the post are easily recognisable by the URL, as the attacker has made little effort to disguise the URL. Users can easily avoid becoming victims of the types of attacks described in this post by simply checking the URL and making sure it is the legitimate website. Users should access important pages like their banking portal or webmail by  typing the URL directly in the web browser instead of using search engines or any other links, as the results could be manipulated by SEO techniques or malicious ads. We strongly recommend immediately closing web pages that say your computer is infected and also never calling the number on the screen.

Therefore, Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams::

  • Inspect all HTTP and HTTPs traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
  • Use  Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall in categories that can present higher risk, like Newly Observed and Newly Registered Domains.

Protection

Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. 

  • Netskope Threat Protection
    • Document-HTML.Trojan.TechScam
    • Document-HTML.Trojan.Cryxos
  • Netskope Advanced Threat Protection provides proactive coverage against this threat.
    • Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis
    • Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox

IOCs

Below are the IOCs related to the web pages analyzed in this blog post.

Domains

au-eacj4.ondigitalocean[.]app

clownfish-app-2-acvrg.ondigitalocean[.]app

clownfish-app-3gui7.ondigitalocean[.]app

coral-app-66eu3.ondigitalocean[.]app

coral-app-lql2j.ondigitalocean[.]app

coral-app-oheld.ondigitalocean[.]app

coral-app-yn7we.ondigitalocean[.]app

dolphin-app-cin9g.ondigitalocean[.]app

dolphin-app-gf3v9.ondigitalocean[.]app

dolphin-app-i9rjs.ondigitalocean[.]app

fwd-t7top.ondigitalocean[.]app

goldfish-app-8fmrx.ondigitalocean[.]app

goldfish-app-ede6s.ondigitalocean[.]app

goldfish-app-gmvba.ondigitalocean[.]app

goldfish-app-narvj.ondigitalocean[.]app

goldfish-app-xbbof.ondigitalocean[.]app

hammerhead-app-3icpw.ondigitalocean[.]app

hammerhead-app-6ajmd.ondigitalocean[.]app

hammerhead-app-6xlbp.ondigitalocean[.]app

hammerhead-app-juwp9.ondigitalocean[.]app

hammerhead-app-yqhlx.ondigitalocean[.]app

hunt445352464-y7bly.ondigitalocean[.]app

jellyfish-app-xotim.ondigitalocean[.]app

king-prawn-app-4fyti.ondigitalocean[.]app

king-prawn-app-8hzfo.ondigitalocean[.]app

king-prawn-app-bk8g5.ondigitalocean[.]app

king-prawn-app-s6uog.ondigitalocean[.]app

lionfish-app-9rfsh.ondigitalocean[.]app

lionfish-app-j9fnn.ondigitalocean[.]app

lionfish-app-sek9a.ondigitalocean[.]app

lionfish-app-uasdm.ondigitalocean[.]app

lobster-app-frzqt.ondigitalocean[.]app

lobster-app-or6ca.ondigitalocean[.]app

lobster-app-rcoyt.ondigitalocean[.]app

lobster-app-xkaxb.ondigitalocean[.]app

monkfish-app-29akh.ondigitalocean[.]app

monkfish-app-4e22q.ondigitalocean[.]app

monkfish-app-fkiac.ondigitalocean[.]app

monkfish-app-qjdhk.ondigitalocean[.]app

octopus-app-jxl9c.ondigitalocean[.]app

octopus-app-sl7mc.ondigitalocean[.]app

octopus-app-zvm5e.ondigitalocean[.]app

orca-app-2-3tyvd.ondigitalocean[.]app

orca-app-bxy2l.ondigitalocean[.]app

orca-app-ic4os.ondigitalocean[.]app

orca-app-njlq2.ondigitalocean[.]app

orca-app-nkxdn.ondigitalocean[.]app

oyster-app-2333f.ondigitalocean[.]app

oyster-app-865s6.ondigitalocean[.]app

oyster-app-8kk5m.ondigitalocean[.]app

oyster-app-ca5fh.ondigitalocean[.]app

oyster-app-fubtw.ondigitalocean[.]app

plankton-app-gshpo.ondigitalocean[.]app

sea-lion-app-2-pgi8v.ondigitalocean[.]app

sea-lion-app-9rbus.ondigitalocean[.]app

sea-lion-app-hvqyk.ondigitalocean[.]app

sea-lion-app-nwjq8.ondigitalocean[.]app

sea-lion-app-r4jk3.ondigitalocean[.]app

sea-lion-app-s68eg.ondigitalocean[.]app

sea-turtle-app-ohd6t.ondigitalocean[.]app

sea-turtle-app-w39rq.ondigitalocean[.]app

sea-turtle-app-wswat.ondigitalocean[.]app

sea-turtle-app-x2lyb.ondigitalocean[.]app

sea-turtle-app-z52sr.ondigitalocean[.]app

seahorse-app-7kqqk.ondigitalocean[.]app

seahorse-app-eutff.ondigitalocean[.]app

seahorse-app-gpmks.ondigitalocean[.]app

seahorse-app-yjvts.ondigitalocean[.]app

seal-app-3j9yh.ondigitalocean[.]app

seal-app-69ujp.ondigitalocean[.]app

seal-app-x97ny.ondigitalocean[.]app

seashell-app-fpxh9.ondigitalocean[.]app

seashell-app-ja7sl.ondigitalocean[.]app

seashell-app-xzpy9.ondigitalocean[.]app

shark-app-2ty5w.ondigitalocean[.]app

shark-app-qgt9i.ondigitalocean[.]app

squid-app-apvo6.ondigitalocean[.]app

squid-app-yd9gw.ondigitalocean[.]app

starfish-app-3otoz.ondigitalocean[.]app

starfish-app-9gbhh.ondigitalocean[.]app

starfish-app-cwjye.ondigitalocean[.]app

starfish-app-f94j3.ondigitalocean[.]app

starfish-app-gwo9e.ondigitalocean[.]app

starfish-app-jw7ri.ondigitalocean[.]app

starfish-app-l97z5.ondigitalocean[.]app

stingray-app-96edb.ondigitalocean[.]app

stingray-app-do3v9.ondigitalocean[.]app

stingray-app-se98o.ondigitalocean[.]app

urchin-app-5qitv.ondigitalocean[.]app

urchin-app-lq7wk.ondigitalocean[.]app

urchin-app-sgozg.ondigitalocean[.]app

v1and1-ionos-info-2hyeo.ondigitalocean[.]app

walrus-app-npj6k.ondigitalocean[.]app

walrus-app-tcdda.ondigitalocean[.]app

whale-app-298wp.ondigitalocean[.]app

whale-app-56tpr.ondigitalocean[.]app

whale-app-mqejr.ondigitalocean[.]app

whale-app-usrbm.ondigitalocean[.]app

Phone Numbers Observed in the Tech Scam Pages

+1-844-676-9966

+1-855-341-6126

+1-855-341-7111

+1-855-450-7009

+1-855-598-1009

+1-855-673-8111

+1-855-676-9050

author image
Gustavo Palazolo
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection. He is currently working on the Netskope Research Team, discovering and analyzing new malware threats.
author image
Jan Michael Alcantara
Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.

Stay informed!

Subscribe for the latest from the Netskope Blog