SASE Week 2023 On-Demand! Explore sessions.

A plataforma do futuro é a Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) e Private Access for ZTNA integrados nativamente em uma única solução para ajudar todas as empresas em sua jornada para o Secure Access Service Arquitetura de borda (SASE).

Vá para a plataforma
Vídeo da Netskope
Borderless SD-WAN: Desbravando na Nova Era da Empresa Sem Fronteiras

Netskope Borderless SD-WAN oferece uma arquitetura que converge princípios de confiança zero e desempenho de aplicativo garantido para fornecer conectividade segura e de alto desempenho sem precedentes para cada site, nuvem, usuário remoto e dispositivo IoT.

Leia o artigo
Borderless SD-WAN
Adote uma arquitetura Secure Access Service Edge (SASE)

O Netskope NewEdge é a maior nuvem privada de segurança de alto desempenho do mundo e oferece aos clientes cobertura de serviço, desempenho e resiliência inigualáveis.

Conheça a NewEdge
NewEdge
Sua Rede do Amanhã

Planeje seu caminho rumo a uma rede mais rápida, segura e resiliente projetada para os aplicativos e usuários aos quais você oferece suporte.

Receba o whitepaper
Sua Rede do Amanhã
Netskope Cloud Exchange

O Cloud Exchange (CE) da Netskope oferece aos clientes ferramentas de integração poderosas para tirar proveito dos investimentos em estratégias de segurança.

Saiba mais sobre o Cloud Exchange
Vídeo da Netskope
Mude para serviços de segurança na nuvem líderes de mercado com latência mínima e alta confiabilidade.

Conheça a NewEdge
Lighted highway through mountainside switchbacks
Permita com segurança o uso de aplicativos generativos de IA com controle de acesso a aplicativos, treinamento de usuários em tempo real e a melhor proteção de dados da categoria.

Saiba como protegemos o uso de IA generativa
Ative com segurança o ChatGPT e a IA generativa
Soluções de zero trust para a implementação de SSE e SASE

Conheça o Zero Trust
Boat driving through open sea
A Netskope permite uma jornada segura, inteligente e rápida para a adoção de serviços em nuvem, aplicações e infraestrutura de nuvem pública.

Conheça as Soluções para o Setor
Wind turbines along cliffside
  • Recursos

    Saiba mais sobre como a Netskope pode ajudá-lo a proteger sua jornada para a nuvem.

  • Blog

    Saiba como a Netskope viabiliza a segurança e a transformação de redes através do security service edge (SSE).

  • Eventos e workshops

    Esteja atualizado sobre as últimas tendências de segurança e conecte-se com seus pares.

  • Security Defined

    Tudo o que você precisa saber em nossa enciclopédia de segurança cibernética.

Podcast Security Visionaries

Unveiling the Under-reported Aspects of AI
Emily Wearmouth sits down with Neil Thacker, EMEA CISO, Yihua Liao, Head of Netskope AI Labs, and Suzanne Oliver, Director of IP Strategy at Scintilla, to discuss the topics in the realm of AI that they each wish people were discussing more.

Reproduzir o podcast
Unveiling the Under-reported Aspects of AI Social card
Últimos blogs

Como a Netskope pode habilitar a jornada Zero Trust e SASE por meio dos recursos de borda de serviço de segurança (SSE).

Leia o Blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explorar sessões
SASE Week 2023
O que é o Security Service Edge?

Explore o lado de segurança de SASE, o futuro da rede e proteção na nuvem.

Saiba mais sobre o Security Service Edge
Four-way roundabout
  • Nossos clientes

    Netskope atende a mais de 2.000 clientes em todo o mundo, incluindo mais de 25 dos 100 da Fortune.

  • Customer Solutions

    Estamos aqui junto com você a cada passo da sua trajetória, assegurando seu sucesso com a Netskope.

  • Netskope Community

    Aprenda com outros profissionais de rede, dados e segurança.

  • Treinamento e certificação

    Os treinamentos da Netskope vão ajudar você a ser um especialista em segurança na nuvem.

Ajudamos nossos clientes a estarem prontos para tudo

Ver nossos clientes
Woman smiling with glasses looking out window
A talentosa e experiente equipe de Serviços Profissionais da Netskope fornece uma abordagem prescritiva para sua implementação bem sucedida.

Conheça os Serviços Profissionais
Netskope Professional Services
A Comunidade Netskope pode ajudar você e sua equipe a obter mais valor de produtos e práticas.

Acesse a Comunidade Netskope
A Comunidade Netskope
Proteja sua jornada de transformação digital e aproveite ao máximo seus aplicativos de nuvem, web e privados com o treinamento da Netskope.

Saiba mais sobre Treinamentos e Certificações
Group of young professionals working
  • Empresa

    Ajudamos você a antecipar os desafios da nuvem, dos dados e da segurança da rede.

  • Por que Netskope

    A transformação da nuvem e o trabalho em qualquer lugar mudaram a forma como a segurança precisa funcionar.

  • Liderança

    Nossa equipe de liderança está fortemente comprometida em fazer tudo o que for preciso para tornar nossos clientes bem-sucedidos.

  • Parceiros

    Fazemos parceria com líderes de segurança para ajudá-lo a proteger sua jornada para a nuvem.

Apoiando a sustentabilidade por meio da segurança de dados

A Netskope tem o orgulho de participar da Visão 2045: uma iniciativa destinada a aumentar a conscientização sobre o papel da indústria privada na sustentabilidade.

Saiba mais
Apoiando a sustentabilidade por meio da segurança de dados
O mais alto nível de Execução. A Visão mais avançada.

A Netskope foi reconhecida como Líder no Magic Quadrant™ do Gartner® de 2023 para SSE.

Obtenha o Relatório
A Netskope foi reconhecida como Líder no Magic Quadrant™ do Gartner® de 2023 para SSE.
Pensadores, construtores, sonhadores, inovadores. Juntos, fornecemos soluções de segurança na nuvem de última geração para ajudar nossos clientes a proteger seus dados e seu pessoal.

Conheça nossa equipe
Group of hikers scaling a snowy mountain
A estratégia de comercialização da Netskope, focada em Parcerias, permite que nossos Parceiros maximizem seu crescimento e lucratividade enquanto transformam a segurança corporativa.

Saiba mais sobre os parceiros da Netskope
Group of diverse young professionals smiling

Attackers Increasingly Abusing DigitalOcean to Host Scams and Phishing

Mar 09 2023

Sumário

Netskope Threat Labs is tracking a 17x increase in traffic to malicious web pages hosted on DigitalOcean in the last six months. This increase is attributed to new campaigns of a known tech support scam that mimics Windows Defender and tries to deceive users into believing that their computer is infected. The end goal of this scam is to lure victims into calling a fake “help line”, where attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection.

In addition to the tech support scam, there has also been an increase in phishing pages hosted on DigitalOcean, targeting customers of the financial institutions America First Credit Union, Huntington, and Truist, and one phishing page targeting IONOS Webmail users.

The attacks have been targeting victims mainly in North America and Europe across different segments, led by the technology, financial services, and manufacturing sectors.

Presence of DigitalOcean Abuse by Sector

Attackers are creating free-tier DigitalOcean apps to host the scam and phishing pages. Abusing free cloud services, especially services that provide free web hosting or free object hosting, is a common technique used by attackers to host malicious content. This blog post provides a summary of what these scams and phishing pages look like, along with recommendations and threat intel you can use to protect yourself and your organization.  

Tech Support Scam

How it Works

This scam works by mimicking Windows Defender alerts, luring victims into believing that their computer is infected with malware. The goal of this attack is to convince the victim to call the scammer’s phone number. Attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection. Attackers typically use malvertising to redirect victims to these scam pages.

Tech scam attack, using a fake number as an example.

Once the victim interacts with the webpage, the web browser’s window is maximized and an audio starts playing with the following message:

“Important security message.

Your computer has been locked up.

Your IP address was used without your knowledge or consent to visit websites that contain identity theft virus.

To unlock the computer, please call support immediately.

Please, do not attempt to shutdown or restart your computer. Doing that may lead to data loss and identity theft.

The computer lock is aimed to stop illegal activity.

Please, call our support immediately.”

These are all attempts to scare victims and force them to call the attacker’s phone number. The campaigns Netskope Threat Labs has identified all use  different “themes”, but rely on the same technique. For example, below is an example that shows a fake Windows desktop in the background and a fake webchat, which eventually displays a message saying that there’s an error and asks the victim to contact the phone number instead of the chat.

Another example of the same tech scam.

We also found pages in different languages such as Japanese, showing that this is a multilingual campaign.

Same tech support scam in Japanese.

How is it spread across DigitalOcean?

DigitalOcean allows users to host up to three static websites for free. Since the phone number displayed on the tech scam page is dynamic and can be changed via the “phone” parameter in the URL, attackers can use different phone numbers in the same DigitalOcean instance, without changing anything in the HTML or the scripts. This also means that attackers can create multiple DigitalOcean instances and replicate the same HTML and script files, as these do not require any changes.

In the example below, we used fake numbers to illustrate how this works.

Example of how attackers can use different phone numbers through the same HTML and different DigitalOcean instances.

This can also be confirmed by checking VirusTotal. For example, one of the pages we analyzed is related to 87 different domains from DigitalOcean.

DigitalOcean domains related to one of the tech support scam pages.

Although Netskope Threat Labs has been tracking attackers abusing DigitalOcean in these campaigns, there are also recent reports of similar scams where attackers are abusing Microsoft Azure to host the pages.

Phishing Pages

Netskope Threat Labs is also tracking an increase in phishing activity hosted on DigitalOcean, focused primarily on stealing sensitive financial data, like credit card and debit card numbers.

America First Credit Union

One of the targets is America First Credit Union, where attackers created a very similar phishing page compared to the original website. Although the page looks very similar, one can easily distinguish between the original website by checking the URL.

Phishing page hosted on DigitalOcean vs. the original website.

Once the victim adds the login information, the attackers attempt to steal more personal information like the victim’s full name, date of birth, social security number, carrier pin, and the address.

Phishing page asking for more information.

After entering all the data above, the page then asks for the victim’s debit card number, expiration date, CVV, and the card pin.

Phishing page asking for credit card information.

Then, the phishing page attempts to steal the victim’s email address and password. This is done by simulating a third-party login after inserting the email address in the phishing page. Attackers try to take over the victim’s email in order to gain control over the account’s MFA, if enabled. The access to the victim’s email also allows attackers to attempt to reset passwords and gain access to other accounts that are linked to the same email address.

As an extra attempt to deceive the victim, the phishing page tries to simulate the login page according to the email address provided by the user. For example, if a Gmail account is detected, the phishing page simulates Google’s login page.

Phishing page trying to steal the victim’s email address and password.

The same thing happens if a Microsoft email is detected.

Phishing page simulating Microsoft’s email login.

If the email provided by the victim is not from a known service, the phishing page uses the same layout as the one used for Gmail, but without Google’s logo.

Using an unknown email service to demonstrate how the phishing page behaves.

And lastly, the victim is redirected to the legitimate website.

Original America First Credit Union website.

Huntington National Bank

The second target is Huntington National Bank, where the attack flow is similar to the America First’s phishing page.

Huntington phishing page hosted on DigitalOcean.

After stealing the username and password, the phishing page asks for the one time pin sent to the victim, as an attempt to bypass the multi-factor authentication.

Phishing page asking the one time pin sent to the victim.

Then, the phishing tries to steal the victim’s email address and password, using the same technique as the America First phishing.

Phishing page trying to steal victim’s email address and password.

The phishing campaign then attempts to steal information, such as credit card number, expiration date, CVV, pin, and social security number or tax ID.

Phishing page asking for credit card information.

Then, all personal information is requested, including full name, date of birth, phone number, carrier pin, and address.

Phishing requesting victim’s personal information.

The Huntington phishing page goes even further and requests a picture (front and back) of the victim’s ID or driver license to continue.

Phishing requesting a picture of the victim’s ID.

And finally, the phishing page redirects the user to the legitimate Huntington website after stealing all the information described above.

Phishing page redirecting the victim to Huntington’s legitimate website.

Truist

Truist Financial was also targeted, and the phishing page works exactly as the America First phishing page. It attempts to steal the Truist login and password, the victim’s personal information, credit card data, and also the victim’s email and password.

Truist phishing page hosted on DigitalOcean.

IONOS Webmail

IONOS webmail is the only phishing page in the set Netskope Threat Labs is tracking on DigitalOcean that is targeting email compromise exclusively without also targeting credentials for any financial institutions.

IONOS webmail phishing page hosted on DigitalOcean.

Conclusões

Tech support scams and phishing are a persistent problem, with attackers constantly looking for new ways to target their victims. This latest set of tech support scams and phishing pages are noteworthy because of the focused abuse of DigitalOcean and the success in reaching their victims, resulting in a 17-fold increase in blocking malicious content hosted on DigitalOcean in the Netskope platform. Netskope Threat Labs has been reporting the URLs to the targeted institutions and to DigitalOcean as they are discovered. Although DigitalOcean is promptly taking down the sites, attackers have been responding by continuing to create new ones. Netskope Threat Labs will continue to track and respond to this set of campaigns as they continue and evolve.

Recomendações

The scams and phishing pages described in the post are easily recognisable by the URL, as the attacker has made little effort to disguise the URL. Users can easily avoid becoming victims of the types of attacks described in this post by simply checking the URL and making sure it is the legitimate website. Users should access important pages like their banking portal or webmail by  typing the URL directly in the web browser instead of using search engines or any other links, as the results could be manipulated by SEO techniques or malicious ads. We strongly recommend immediately closing web pages that say your computer is infected and also never calling the number on the screen.

Therefore, Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams::

  • Inspect all HTTP and HTTPs traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
  • Use  Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall in categories that can present higher risk, like Newly Observed and Newly Registered Domains.

Proteção

O Netskope Threat Labs está monitorando ativamente esta campanha e garantiu cobertura para todos os indicadores de ameaças e cargas conhecidas. 

  • Proteção Contra Ameaças Netskope
    • Document-HTML.Trojan.TechScam
    • Document-HTML.Trojan.Cryxos
  • A Netskope Advanced Protection oferece cobertura proativa contra essa ameaça.
    • Gen.Malware.Detect.By.StHeur indica uma amostra que foi detectada usando análise estática
    • Gen.Malware.Detect.By.Sandbox indica uma amostra que foi detectada por nosso sandbox na nuvem

IOCs

Below are the IOCs related to the web pages analyzed in this blog post.

Domains

au-eacj4.ondigitalocean[.]app

clownfish-app-2-acvrg.ondigitalocean[.]app

clownfish-app-3gui7.ondigitalocean[.]app

coral-app-66eu3.ondigitalocean[.]app

coral-app-lql2j.ondigitalocean[.]app

coral-app-oheld.ondigitalocean[.]app

coral-app-yn7we.ondigitalocean[.]app

dolphin-app-cin9g.ondigitalocean[.]app

dolphin-app-gf3v9.ondigitalocean[.]app

dolphin-app-i9rjs.ondigitalocean[.]app

fwd-t7top.ondigitalocean[.]app

goldfish-app-8fmrx.ondigitalocean[.]app

goldfish-app-ede6s.ondigitalocean[.]app

goldfish-app-gmvba.ondigitalocean[.]app

goldfish-app-narvj.ondigitalocean[.]app

goldfish-app-xbbof.ondigitalocean[.]app

hammerhead-app-3icpw.ondigitalocean[.]app

hammerhead-app-6ajmd.ondigitalocean[.]app

hammerhead-app-6xlbp.ondigitalocean[.]app

hammerhead-app-juwp9.ondigitalocean[.]app

hammerhead-app-yqhlx.ondigitalocean[.]app

hunt445352464-y7bly.ondigitalocean[.]app

jellyfish-app-xotim.ondigitalocean[.]app

king-prawn-app-4fyti.ondigitalocean[.]app

king-prawn-app-8hzfo.ondigitalocean[.]app

king-prawn-app-bk8g5.ondigitalocean[.]app

king-prawn-app-s6uog.ondigitalocean[.]app

lionfish-app-9rfsh.ondigitalocean[.]app

lionfish-app-j9fnn.ondigitalocean[.]app

lionfish-app-sek9a.ondigitalocean[.]app

lionfish-app-uasdm.ondigitalocean[.]app

lobster-app-frzqt.ondigitalocean[.]app

lobster-app-or6ca.ondigitalocean[.]app

lobster-app-rcoyt.ondigitalocean[.]app

lobster-app-xkaxb.ondigitalocean[.]app

monkfish-app-29akh.ondigitalocean[.]app

monkfish-app-4e22q.ondigitalocean[.]app

monkfish-app-fkiac.ondigitalocean[.]app

monkfish-app-qjdhk.ondigitalocean[.]app

octopus-app-jxl9c.ondigitalocean[.]app

octopus-app-sl7mc.ondigitalocean[.]app

octopus-app-zvm5e.ondigitalocean[.]app

orca-app-2-3tyvd.ondigitalocean[.]app

orca-app-bxy2l.ondigitalocean[.]app

orca-app-ic4os.ondigitalocean[.]app

orca-app-njlq2.ondigitalocean[.]app

orca-app-nkxdn.ondigitalocean[.]app

oyster-app-2333f.ondigitalocean[.]app

oyster-app-865s6.ondigitalocean[.]app

oyster-app-8kk5m.ondigitalocean[.]app

oyster-app-ca5fh.ondigitalocean[.]app

oyster-app-fubtw.ondigitalocean[.]app

plankton-app-gshpo.ondigitalocean[.]app

sea-lion-app-2-pgi8v.ondigitalocean[.]app

sea-lion-app-9rbus.ondigitalocean[.]app

sea-lion-app-hvqyk.ondigitalocean[.]app

sea-lion-app-nwjq8.ondigitalocean[.]app

sea-lion-app-r4jk3.ondigitalocean[.]app

sea-lion-app-s68eg.ondigitalocean[.]app

sea-turtle-app-ohd6t.ondigitalocean[.]app

sea-turtle-app-w39rq.ondigitalocean[.]app

sea-turtle-app-wswat.ondigitalocean[.]app

sea-turtle-app-x2lyb.ondigitalocean[.]app

sea-turtle-app-z52sr.ondigitalocean[.]app

seahorse-app-7kqqk.ondigitalocean[.]app

seahorse-app-eutff.ondigitalocean[.]app

seahorse-app-gpmks.ondigitalocean[.]app

seahorse-app-yjvts.ondigitalocean[.]app

seal-app-3j9yh.ondigitalocean[.]app

seal-app-69ujp.ondigitalocean[.]app

seal-app-x97ny.ondigitalocean[.]app

seashell-app-fpxh9.ondigitalocean[.]app

seashell-app-ja7sl.ondigitalocean[.]app

seashell-app-xzpy9.ondigitalocean[.]app

shark-app-2ty5w.ondigitalocean[.]app

shark-app-qgt9i.ondigitalocean[.]app

squid-app-apvo6.ondigitalocean[.]app

squid-app-yd9gw.ondigitalocean[.]app

starfish-app-3otoz.ondigitalocean[.]app

starfish-app-9gbhh.ondigitalocean[.]app

starfish-app-cwjye.ondigitalocean[.]app

starfish-app-f94j3.ondigitalocean[.]app

starfish-app-gwo9e.ondigitalocean[.]app

starfish-app-jw7ri.ondigitalocean[.]app

starfish-app-l97z5.ondigitalocean[.]app

stingray-app-96edb.ondigitalocean[.]app

stingray-app-do3v9.ondigitalocean[.]app

stingray-app-se98o.ondigitalocean[.]app

urchin-app-5qitv.ondigitalocean[.]app

urchin-app-lq7wk.ondigitalocean[.]app

urchin-app-sgozg.ondigitalocean[.]app

v1and1-ionos-info-2hyeo.ondigitalocean[.]app

walrus-app-npj6k.ondigitalocean[.]app

walrus-app-tcdda.ondigitalocean[.]app

whale-app-298wp.ondigitalocean[.]app

whale-app-56tpr.ondigitalocean[.]app

whale-app-mqejr.ondigitalocean[.]app

whale-app-usrbm.ondigitalocean[.]app

Phone Numbers Observed in the Tech Scam Pages

+1-844-676-9966

+1-855-341-6126

+1-855-341-7111

+1-855-450-7009

+1-855-598-1009

+1-855-673-8111

+1-855-676-9050

author image
Gustavo Palazolo
Gustavo Palazolo é especialista em análise de malware, engenharia reversa e pesquisa de segurança, atuando há muitos anos em projetos relacionados à proteção contra fraudes eletrônicas. Atualmente, ele está trabalhando na Equipe de Pesquisa da Netskope, descobrindo e analisando novas ameaças de malware.
author image
Jan Michael Alcantara
Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.

Stay informed!

Subscribe for the latest from the Netskope Blog