Quantifizieren Sie den Wert von Netskope One SSE – Holen Sie sich die Forrester Total Economic Impact-Studie™ 2024

Schließen
Schließen
  • Warum Netskope? Chevron

    Verändern Sie die Art und Weise, wie Netzwerke und Sicherheit zusammenarbeiten.

  • Unsere Kunden Chevron

    Netskope betreut weltweit mehr als 3.400 Kunden, darunter mehr als 30 der Fortune 100

  • Unsere Partner Chevron

    Unsere Partnerschaften helfen Ihnen, Ihren Weg in die Cloud zu sichern.

Ein führendes Unternehmen im Bereich SSE. Jetzt ein führender Anbieter von SASE.

Erfahren Sie, warum Netskope im Gartner® Magic Quadrant™️ 2024 für Single-Vendor Secure Access Service Edge als Leader debütiert

Report abrufen
Customer Visionary Spotlights

Lesen Sie, wie innovative Kunden mithilfe der Netskope One-Plattform erfolgreich durch die sich verändernde Netzwerk- und Sicherheitslandschaft von heute navigieren.

Jetzt das E-Book lesen
Customer Visionary Spotlights
Die partnerorientierte Markteinführungsstrategie von Netskope ermöglicht es unseren Partnern, ihr Wachstum und ihre Rentabilität zu maximieren und gleichzeitig die Unternehmenssicherheit an neue Anforderungen anzupassen.

Erfahren Sie mehr über Netskope-Partner
Gruppe junger, lächelnder Berufstätiger mit unterschiedlicher Herkunft
Ihr Netzwerk von morgen

Planen Sie Ihren Weg zu einem schnelleren, sichereren und widerstandsfähigeren Netzwerk, das auf die von Ihnen unterstützten Anwendungen und Benutzer zugeschnitten ist.

Whitepaper lesen
Ihr Netzwerk von morgen
Netskope Cloud Exchange

Cloud Exchange (CE) von Netskope gibt Ihren Kunden leistungsstarke Integrationstools an die Hand, mit denen sie in jeden Aspekt ihres Sicherheitsstatus investieren können.

Erfahren Sie mehr über Cloud Exchange
Luftaufnahme einer Stadt
  • Security Service Edge Chevron

    Schützen Sie sich vor fortgeschrittenen und cloudfähigen Bedrohungen und schützen Sie Daten über alle Vektoren hinweg.

  • SD-WAN Chevron

    Stellen Sie selbstbewusst sicheren, leistungsstarken Zugriff auf jeden Remote-Benutzer, jedes Gerät, jeden Standort und jede Cloud bereit.

  • Secure Access Service Edge Chevron

    Netskope One SASE bietet eine Cloud-native, vollständig konvergente SASE-Lösung eines einzelnen Anbieters.

Die Plattform der Zukunft heißt Netskope

Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) und Private Access for ZTNA sind nativ in einer einzigen Lösung integriert, um jedes Unternehmen auf seinem Weg zur Secure Access Service Edge (SASE)-Architektur zu unterstützen.

Netskope Produktübersicht
Netskope-Video
Next Gen SASE Branch ist hybrid – verbunden, sicher und automatisiert

Netskope Next Gen SASE Branch vereint kontextsensitives SASE Fabric, Zero-Trust Hybrid Security und SkopeAI-Powered Cloud Orchestrator in einem einheitlichen Cloud-Angebot und führt so zu einem vollständig modernisierten Branch-Erlebnis für das grenzenlose Unternehmen.

Erfahren Sie mehr über Next Gen SASE Branch
Menschen im Großraumbüro
SASE-Architektur für Dummies

Holen Sie sich Ihr kostenloses Exemplar des einzigen Leitfadens zum SASE-Design, den Sie jemals benötigen werden.

Jetzt das E-Book lesen
SASE-Architektur für Dummies – E-Book
Steigen Sie auf marktführende Cloud-Security Service mit minimaler Latenz und hoher Zuverlässigkeit um.

Mehr über NewEdge erfahren
Beleuchtete Schnellstraße mit Serpentinen durch die Berge
Ermöglichen Sie die sichere Nutzung generativer KI-Anwendungen mit Anwendungszugriffskontrolle, Benutzercoaching in Echtzeit und erstklassigem Datenschutz.

Erfahren Sie, wie wir den Einsatz generativer KI sichern
ChatGPT und Generative AI sicher aktivieren
Zero-Trust-Lösungen für SSE- und SASE-Deployments

Erfahren Sie mehr über Zero Trust
Bootsfahrt auf dem offenen Meer
Netskope erhält die FedRAMP High Authorization

Wählen Sie Netskope GovCloud, um die Transformation Ihrer Agentur zu beschleunigen.

Erfahren Sie mehr über Netskope GovCloud
Netskope GovCloud
  • Ressourcen Chevron

    Erfahren Sie mehr darüber, wie Netskope Ihnen helfen kann, Ihre Reise in die Cloud zu sichern.

  • Blog Chevron

    Erfahren Sie, wie Netskope die Sicherheits- und Netzwerktransformation durch Secure Access Service Edge (SASE) ermöglicht

  • Events und Workshops Chevron

    Bleiben Sie den neuesten Sicherheitstrends immer einen Schritt voraus und tauschen Sie sich mit Gleichgesinnten aus

  • Security Defined Chevron

    Finden Sie alles was Sie wissen müssen in unserer Cybersicherheits-Enzyklopädie.

Security Visionaries Podcast

Prognosen für 2025
In dieser Folge von Security Visionaries diskutieren wir mit Kiersten Todt, President bei Wondros und ehemaliger Stabschef der Cybersecurity and Infrastructure Security Agency (CISA), über Prognosen für 2025 und darüber hinaus.

Podcast abspielen Alle Podcasts durchsuchen
Prognosen für 2025
Neueste Blogs

Lesen Sie, wie Netskope die Zero-Trust- und SASE-Reise durch SASE-Funktionen (Secure Access Service Edge) ermöglichen kann.

Den Blog lesen
Sonnenaufgang und bewölkter Himmel
SASE Week 2024 auf Abruf

Erfahren Sie, wie Sie sich in den neuesten Fortschritten bei SASE und Zero Trust zurechtfinden können, und erfahren Sie, wie sich diese Frameworks an die Herausforderungen der Cybersicherheit und Infrastruktur anpassen

Entdecken Sie Sitzungen
SASE Week 2024
Was ist SASE?

Erfahren Sie mehr über die zukünftige Konsolidierung von Netzwerk- und Sicherheitstools im heutigen Cloud-dominanten Geschäftsmodell.

Erfahre mehr zu SASE
  • Unternehmen Chevron

    Wir helfen Ihnen, den Herausforderungen der Cloud-, Daten- und Netzwerksicherheit einen Schritt voraus zu sein.

  • Karriere Chevron

    Schließen Sie sich den 3.000+ großartigen Teammitgliedern von Netskope an, die die branchenführende Cloud-native Sicherheitsplattform aufbauen.

  • Kundenlösungen Chevron

    Wir sind für Sie da, stehen Ihnen bei jedem Schritt zur Seite und sorgen für Ihren Erfolg mit Netskope.

  • Schulungen und Akkreditierungen Chevron

    Netskope-Schulungen helfen Ihnen ein Experte für Cloud-Sicherheit zu werden.

Unterstützung der Nachhaltigkeit durch Datensicherheit

Netskope ist stolz darauf, an Vision 2045 teilzunehmen: einer Initiative, die darauf abzielt, das Bewusstsein für die Rolle der Privatwirtschaft bei der Nachhaltigkeit zu schärfen.

Finde mehr heraus
Unterstützung der Nachhaltigkeit durch Datensicherheit
Helfen Sie mit, die Zukunft der Cloudsicherheit zu gestalten

Bei Netskope arbeiten Gründer und Führungskräfte Schulter an Schulter mit ihren Kollegen, selbst die renommiertesten Experten kontrollieren ihr Ego an der Tür, und die besten Ideen gewinnen.

Tritt dem Team bei
Karriere bei Netskope
Die engagierten Service- und Support-Experten von Netskope sorgen dafür, dass Sie unsere Plattform erfolgreich einsetzen und den vollen Wert ihrer Plattform ausschöpfen können.

Gehen Sie zu Kundenlösungen
Netskope Professional Services
Mit Netskope-Schulungen können Sie Ihre digitale Transformation absichern und das Beste aus Ihrer Cloud, dem Web und Ihren privaten Anwendungen machen.

Erfahren Sie mehr über Schulungen und Zertifizierungen
Gruppe junger Berufstätiger bei der Arbeit

Attackers Increasingly Abusing DigitalOcean to Host Scams and Phishing

Mar 09 2023

Summary

Netskope Threat Labs is tracking a 17x increase in traffic to malicious web pages hosted on DigitalOcean in the last six months. This increase is attributed to new campaigns of a known tech support scam that mimics Windows Defender and tries to deceive users into believing that their computer is infected. The end goal of this scam is to lure victims into calling a fake “help line”, where attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection.

In addition to the tech support scam, there has also been an increase in phishing pages hosted on DigitalOcean, targeting customers of the financial institutions America First Credit Union, Huntington, and Truist, and one phishing page targeting IONOS Webmail users.

The attacks have been targeting victims mainly in North America and Europe across different segments, led by the technology, financial services, and manufacturing sectors.

Presence of DigitalOcean Abuse by Sector

Attackers are creating free-tier DigitalOcean apps to host the scam and phishing pages. Abusing free cloud services, especially services that provide free web hosting or free object hosting, is a common technique used by attackers to host malicious content. This blog post provides a summary of what these scams and phishing pages look like, along with recommendations and threat intel you can use to protect yourself and your organization.  

Tech Support Scam

How it Works

This scam works by mimicking Windows Defender alerts, luring victims into believing that their computer is infected with malware. The goal of this attack is to convince the victim to call the scammer’s phone number. Attackers may attempt to remotely access the victim’s computer to either install malware or request payment for a service to fix the bogus infection. Attackers typically use malvertising to redirect victims to these scam pages.

Tech scam attack, using a fake number as an example.

Once the victim interacts with the webpage, the web browser’s window is maximized and an audio starts playing with the following message:

“Important security message.

Your computer has been locked up.

Your IP address was used without your knowledge or consent to visit websites that contain identity theft virus.

To unlock the computer, please call support immediately.

Please, do not attempt to shutdown or restart your computer. Doing that may lead to data loss and identity theft.

The computer lock is aimed to stop illegal activity.

Please, call our support immediately.”

These are all attempts to scare victims and force them to call the attacker’s phone number. The campaigns Netskope Threat Labs has identified all use  different “themes”, but rely on the same technique. For example, below is an example that shows a fake Windows desktop in the background and a fake webchat, which eventually displays a message saying that there’s an error and asks the victim to contact the phone number instead of the chat.

Another example of the same tech scam.

We also found pages in different languages such as Japanese, showing that this is a multilingual campaign.

Same tech support scam in Japanese.

How is it spread across DigitalOcean?

DigitalOcean allows users to host up to three static websites for free. Since the phone number displayed on the tech scam page is dynamic and can be changed via the “phone” parameter in the URL, attackers can use different phone numbers in the same DigitalOcean instance, without changing anything in the HTML or the scripts. This also means that attackers can create multiple DigitalOcean instances and replicate the same HTML and script files, as these do not require any changes.

In the example below, we used fake numbers to illustrate how this works.

Example of how attackers can use different phone numbers through the same HTML and different DigitalOcean instances.

This can also be confirmed by checking VirusTotal. For example, one of the pages we analyzed is related to 87 different domains from DigitalOcean.

DigitalOcean domains related to one of the tech support scam pages.

Although Netskope Threat Labs has been tracking attackers abusing DigitalOcean in these campaigns, there are also recent reports of similar scams where attackers are abusing Microsoft Azure to host the pages.

Phishing Pages

Netskope Threat Labs is also tracking an increase in phishing activity hosted on DigitalOcean, focused primarily on stealing sensitive financial data, like credit card and debit card numbers.

America First Credit Union

One of the targets is America First Credit Union, where attackers created a very similar phishing page compared to the original website. Although the page looks very similar, one can easily distinguish between the original website by checking the URL.

Phishing page hosted on DigitalOcean vs. the original website.

Once the victim adds the login information, the attackers attempt to steal more personal information like the victim’s full name, date of birth, social security number, carrier pin, and the address.

Phishing page asking for more information.

After entering all the data above, the page then asks for the victim’s debit card number, expiration date, CVV, and the card pin.

Phishing page asking for credit card information.

Then, the phishing page attempts to steal the victim’s email address and password. This is done by simulating a third-party login after inserting the email address in the phishing page. Attackers try to take over the victim’s email in order to gain control over the account’s MFA, if enabled. The access to the victim’s email also allows attackers to attempt to reset passwords and gain access to other accounts that are linked to the same email address.

As an extra attempt to deceive the victim, the phishing page tries to simulate the login page according to the email address provided by the user. For example, if a Gmail account is detected, the phishing page simulates Google’s login page.

Phishing page trying to steal the victim’s email address and password.

The same thing happens if a Microsoft email is detected.

Phishing page simulating Microsoft’s email login.

If the email provided by the victim is not from a known service, the phishing page uses the same layout as the one used for Gmail, but without Google’s logo.

Using an unknown email service to demonstrate how the phishing page behaves.

And lastly, the victim is redirected to the legitimate website.

Original America First Credit Union website.

Huntington National Bank

The second target is Huntington National Bank, where the attack flow is similar to the America First’s phishing page.

Huntington phishing page hosted on DigitalOcean.

After stealing the username and password, the phishing page asks for the one time pin sent to the victim, as an attempt to bypass the multi-factor authentication.

Phishing page asking the one time pin sent to the victim.

Then, the phishing tries to steal the victim’s email address and password, using the same technique as the America First phishing.

Phishing page trying to steal victim’s email address and password.

The phishing campaign then attempts to steal information, such as credit card number, expiration date, CVV, pin, and social security number or tax ID.

Phishing page asking for credit card information.

Then, all personal information is requested, including full name, date of birth, phone number, carrier pin, and address.

Phishing requesting victim’s personal information.

The Huntington phishing page goes even further and requests a picture (front and back) of the victim’s ID or driver license to continue.

Phishing requesting a picture of the victim’s ID.

And finally, the phishing page redirects the user to the legitimate Huntington website after stealing all the information described above.

Phishing page redirecting the victim to Huntington’s legitimate website.

Truist

Truist Financial was also targeted, and the phishing page works exactly as the America First phishing page. It attempts to steal the Truist login and password, the victim’s personal information, credit card data, and also the victim’s email and password.

Truist phishing page hosted on DigitalOcean.

IONOS Webmail

IONOS webmail is the only phishing page in the set Netskope Threat Labs is tracking on DigitalOcean that is targeting email compromise exclusively without also targeting credentials for any financial institutions.

IONOS webmail phishing page hosted on DigitalOcean.

Conclusions

Tech support scams and phishing are a persistent problem, with attackers constantly looking for new ways to target their victims. This latest set of tech support scams and phishing pages are noteworthy because of the focused abuse of DigitalOcean and the success in reaching their victims, resulting in a 17-fold increase in blocking malicious content hosted on DigitalOcean in the Netskope platform. Netskope Threat Labs has been reporting the URLs to the targeted institutions and to DigitalOcean as they are discovered. Although DigitalOcean is promptly taking down the sites, attackers have been responding by continuing to create new ones. Netskope Threat Labs will continue to track and respond to this set of campaigns as they continue and evolve.

Recommendations

The scams and phishing pages described in the post are easily recognisable by the URL, as the attacker has made little effort to disguise the URL. Users can easily avoid becoming victims of the types of attacks described in this post by simply checking the URL and making sure it is the legitimate website. Users should access important pages like their banking portal or webmail by  typing the URL directly in the web browser instead of using search engines or any other links, as the results could be manipulated by SEO techniques or malicious ads. We strongly recommend immediately closing web pages that say your computer is infected and also never calling the number on the screen.

Therefore, Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams::

  • Inspect all HTTP and HTTPs traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
  • Use  Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall in categories that can present higher risk, like Newly Observed and Newly Registered Domains.

Protection

Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. 

  • Netskope Threat Protection
    • Document-HTML.Trojan.TechScam
    • Document-HTML.Trojan.Cryxos
  • Netskope Advanced Threat Protection provides proactive coverage against this threat.
    • Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis
    • Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox

IOCs

Below are the IOCs related to the web pages analyzed in this blog post.

Domains

au-eacj4.ondigitalocean[.]app

clownfish-app-2-acvrg.ondigitalocean[.]app

clownfish-app-3gui7.ondigitalocean[.]app

coral-app-66eu3.ondigitalocean[.]app

coral-app-lql2j.ondigitalocean[.]app

coral-app-oheld.ondigitalocean[.]app

coral-app-yn7we.ondigitalocean[.]app

dolphin-app-cin9g.ondigitalocean[.]app

dolphin-app-gf3v9.ondigitalocean[.]app

dolphin-app-i9rjs.ondigitalocean[.]app

fwd-t7top.ondigitalocean[.]app

goldfish-app-8fmrx.ondigitalocean[.]app

goldfish-app-ede6s.ondigitalocean[.]app

goldfish-app-gmvba.ondigitalocean[.]app

goldfish-app-narvj.ondigitalocean[.]app

goldfish-app-xbbof.ondigitalocean[.]app

hammerhead-app-3icpw.ondigitalocean[.]app

hammerhead-app-6ajmd.ondigitalocean[.]app

hammerhead-app-6xlbp.ondigitalocean[.]app

hammerhead-app-juwp9.ondigitalocean[.]app

hammerhead-app-yqhlx.ondigitalocean[.]app

hunt445352464-y7bly.ondigitalocean[.]app

jellyfish-app-xotim.ondigitalocean[.]app

king-prawn-app-4fyti.ondigitalocean[.]app

king-prawn-app-8hzfo.ondigitalocean[.]app

king-prawn-app-bk8g5.ondigitalocean[.]app

king-prawn-app-s6uog.ondigitalocean[.]app

lionfish-app-9rfsh.ondigitalocean[.]app

lionfish-app-j9fnn.ondigitalocean[.]app

lionfish-app-sek9a.ondigitalocean[.]app

lionfish-app-uasdm.ondigitalocean[.]app

lobster-app-frzqt.ondigitalocean[.]app

lobster-app-or6ca.ondigitalocean[.]app

lobster-app-rcoyt.ondigitalocean[.]app

lobster-app-xkaxb.ondigitalocean[.]app

monkfish-app-29akh.ondigitalocean[.]app

monkfish-app-4e22q.ondigitalocean[.]app

monkfish-app-fkiac.ondigitalocean[.]app

monkfish-app-qjdhk.ondigitalocean[.]app

octopus-app-jxl9c.ondigitalocean[.]app

octopus-app-sl7mc.ondigitalocean[.]app

octopus-app-zvm5e.ondigitalocean[.]app

orca-app-2-3tyvd.ondigitalocean[.]app

orca-app-bxy2l.ondigitalocean[.]app

orca-app-ic4os.ondigitalocean[.]app

orca-app-njlq2.ondigitalocean[.]app

orca-app-nkxdn.ondigitalocean[.]app

oyster-app-2333f.ondigitalocean[.]app

oyster-app-865s6.ondigitalocean[.]app

oyster-app-8kk5m.ondigitalocean[.]app

oyster-app-ca5fh.ondigitalocean[.]app

oyster-app-fubtw.ondigitalocean[.]app

plankton-app-gshpo.ondigitalocean[.]app

sea-lion-app-2-pgi8v.ondigitalocean[.]app

sea-lion-app-9rbus.ondigitalocean[.]app

sea-lion-app-hvqyk.ondigitalocean[.]app

sea-lion-app-nwjq8.ondigitalocean[.]app

sea-lion-app-r4jk3.ondigitalocean[.]app

sea-lion-app-s68eg.ondigitalocean[.]app

sea-turtle-app-ohd6t.ondigitalocean[.]app

sea-turtle-app-w39rq.ondigitalocean[.]app

sea-turtle-app-wswat.ondigitalocean[.]app

sea-turtle-app-x2lyb.ondigitalocean[.]app

sea-turtle-app-z52sr.ondigitalocean[.]app

seahorse-app-7kqqk.ondigitalocean[.]app

seahorse-app-eutff.ondigitalocean[.]app

seahorse-app-gpmks.ondigitalocean[.]app

seahorse-app-yjvts.ondigitalocean[.]app

seal-app-3j9yh.ondigitalocean[.]app

seal-app-69ujp.ondigitalocean[.]app

seal-app-x97ny.ondigitalocean[.]app

seashell-app-fpxh9.ondigitalocean[.]app

seashell-app-ja7sl.ondigitalocean[.]app

seashell-app-xzpy9.ondigitalocean[.]app

shark-app-2ty5w.ondigitalocean[.]app

shark-app-qgt9i.ondigitalocean[.]app

squid-app-apvo6.ondigitalocean[.]app

squid-app-yd9gw.ondigitalocean[.]app

starfish-app-3otoz.ondigitalocean[.]app

starfish-app-9gbhh.ondigitalocean[.]app

starfish-app-cwjye.ondigitalocean[.]app

starfish-app-f94j3.ondigitalocean[.]app

starfish-app-gwo9e.ondigitalocean[.]app

starfish-app-jw7ri.ondigitalocean[.]app

starfish-app-l97z5.ondigitalocean[.]app

stingray-app-96edb.ondigitalocean[.]app

stingray-app-do3v9.ondigitalocean[.]app

stingray-app-se98o.ondigitalocean[.]app

urchin-app-5qitv.ondigitalocean[.]app

urchin-app-lq7wk.ondigitalocean[.]app

urchin-app-sgozg.ondigitalocean[.]app

v1and1-ionos-info-2hyeo.ondigitalocean[.]app

walrus-app-npj6k.ondigitalocean[.]app

walrus-app-tcdda.ondigitalocean[.]app

whale-app-298wp.ondigitalocean[.]app

whale-app-56tpr.ondigitalocean[.]app

whale-app-mqejr.ondigitalocean[.]app

whale-app-usrbm.ondigitalocean[.]app

Phone Numbers Observed in the Tech Scam Pages

+1-844-676-9966

+1-855-341-6126

+1-855-341-7111

+1-855-450-7009

+1-855-598-1009

+1-855-673-8111

+1-855-676-9050

author image
Gustavo Palazolo
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.
author image
Jan Michael Alcantara
Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.
Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.

Bleiben Sie informiert!

Abonnieren Sie den Netskope-Blog