In our previous blog, we found a lot of phishing and scam URLs abusing Cloudflare services using pages.dev and workers.dev domains, respectively. We’re now seeing a lot of phishing emails with URLs abusing another Cloudflare service which is r2.dev.
Cloudflare R2 is a relatively new cloud storage service that allows developers to store large amounts of unstructured data without the costly egress bandwidth fees associated with typical cloud storage services.
Like in AWS S3 or other cloud storage services, Cloudflare R2 also offers public buckets which is a feature that allows users to expose the contents of their R2 buckets directly to the Internet. By default, buckets are never publicly accessible and will always require explicit user permission to enable them.
These public buckets are now being abused in a variety of phishing attacks and now widely seen in URLs used in phishing emails. The common URL structure is https://pub-{32 Hexadecimal String}.r2.dev/.
For the past 60 days, we saw more than 2,000 phishing emails containing phishing URL links abusing r2.dev service. The subjects of the phishing emails contain alarming or common keywords like statement paid, upgrade mail, purchase order, etc.
This phishing email sample mimics the Adobe Acrobat based on the From header where the email address didn’t come from a legitimate Adobe Acrobat and seems to be auto-generated. It also uses ‘Statement Paid’ in the subject to lure the victim into checking the email:
Figure 1. The email header of the phishing email imitating Adobe Acrobat
Figure 1.2. The phishing email showing an approved payment
The clickable link hxxps://pub-5e34bcda437b499399d6abc116886480[.]r2[.]dev/indexR[.]html in the phishing email leads to a phishing site that imitates Adobe:
Figure 2. Screenshot of the fake Adobe site
Looking deeper into the source-code of the phishing URL, we can see that the credentials of the victim will be posted to another phishing URL using an Ajax code format:
Another phishing email sample we found contains the subject keywords ‘purchase order’ and an image attachment of a fake purchase order:
Figure 3.1. The email with PNG attachment of the fake purchase order
The actual PNG file attached in the phishing email has a small file size only which makes it hard to zoom in and the list of purchased items is not clear.
There’s also a phishing URL using the r2.dev domain hxxps://pub-3f02c99abcf44a4b92babb3b3c5356d6[.]r2[.]dev/index[.]html?xxx@xxxxxxx.xxx that leads to a fake Microsoft Excel spreadsheet log-in page.
Figure 4. The phishing site of Microsoft Excel
The source-code of this phishing URL uses an atob method for the base64 encoding of the redirection to the URL where the stolen credentials will be posted.
Decoding the base64 string leads to a phishing URL abusing the SharePoint site hxxps://regionalmanagers-my[.]sharepoint[.]com/:b:/p/ivan/EVhCMbG-roNHisHIx3fXqXkBATy7wZKPXYQsdKYIS5rgWA?e=1XABKN/ which contains the name of the possible owner of the SharePoint account.
For the past 60 days, we also observed more than 25,000 phishing r2.dev URLs in our VirusTotal telemetry and these URLs, many of which have multiple vendor detections based on the count under the positives column.
Figure 5. Screenshot of the Cloudflare R2 URLs seen in VirusTotal for the last 60 days
Nowadays, cloud storage services are widely used especially for file backups or maintaining a huge database. However, different cloud services are also being abused and we need to be very careful with r2.dev links seen in emails, specifically the public buckets where the URL domains start with https://pub- and ends with r2.dev as they are being used in phishing attacks. Being alert and staying updated with security news are the best way to avoid being a victim of phishing attacks and not get caught up with a bucket of phish.
Trustwave MailMarshal has protections for these phishing email campaigns, and via click-time scanning of the URLs.
hxxps://pub-5e34bcda437b499399d6abc116886480[.]r2[.]dev/indexR[.]html |
hxxps://samtravelsandtours[.]com/wp-content/uploads/elementor/css/app[.]php |
hxxps://pub-3f02c99abcf44a4b92babb3b3c5356d6[.]r2[.]dev/index[.]html?xxx@xxxxxxx.xxx |
hxxps://regionalmanagers-my[.]sharepoint[.]com/:b:/p/ivan/EVhCMbG-roNHisHIx3fXqXkBATy7wZKPXYQsdKYIS5rgWA?e=1XABKN/ |
hxxps://1-d0asfasfjhasfa7979352jhasf[.]pages[.]dev/ |
hxxps://pub-632c9814b1e848d1a7a36091da6c2082[.]r2[.]dev/index[.]html |
hxxps://pub-87c999dfbd87410f8077dc99997234be[.]r2[.]dev/fiv[.]html |
https://developers.cloudflare.com/r2/
https://developers.cloudflare.com/r2/buckets/public-buckets/