Summary
Netskope Threat Labs is tracking a 17x increase in traffic to malicious web pages hosted on DigitalOcean in the last six months. This increase is attributed to new campaigns of a known tech support scam that mimics Windows Defender and tries to deceive users into believing that their computer is infected. The end goal of this scam is to lure victims into calling a fake “help line”, where attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection.
In addition to the tech support scam, there has also been an increase in phishing pages hosted on DigitalOcean, targeting customers of the financial institutions America First Credit Union, Huntington, and Truist, and one phishing page targeting IONOS Webmail users.
The attacks have been targeting victims mainly in North America and Europe across different segments, led by the technology, financial services, and manufacturing sectors.
Attackers are creating free-tier DigitalOcean apps to host the scam and phishing pages. Abusing free cloud services, especially services that provide free web hosting or free object hosting, is a common technique used by attackers to host malicious content. This blog post provides a summary of what these scams and phishing pages look like, along with recommendations and threat intel you can use to protect yourself and your organization.
Tech Support Scam
How it Works
This scam works by mimicking Windows Defender alerts, luring victims into believing that their computer is infected with malware. The goal of this attack is to convince the victim to call the scammer’s phone number. Attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection. Attackers typically use malvertising to redirect victims to these scam pages.
Once the victim interacts with the webpage, the web browser’s window is maximized and an audio starts playing with the following message:
“Important security message.
Your computer has been locked up.
Your IP address was used without your knowledge or consent to visit websites that contain identity theft virus.
To unlock the computer, please call support immediately.
Please, do not attempt to shutdown or restart your computer. Doing that may lead to data loss and identity theft.
The computer lock is aimed to stop illegal activity.
Please, call our support immediately.”
These are all attempts to scare victims and force them to call the attacker’s phone number. The campaigns Netskope Threat Labs has identified all use different “themes”, but rely on the same technique. For example, below is an example that shows a fake Windows desktop in the background and a fake webchat, which eventually displays a message saying that there’s an error and asks the victim to contact the phone number instead of the chat.
We also found pages in different languages such as Japanese, showing that this is a multilingual campaign.
How is it spread across DigitalOcean?
DigitalOcean allows users to host up to t