Moving more workloads to the cloud has become a top priority for enterprises. Some 96% of organizations are, in fact, already using cloud computing in one or more areas of their business. Cloud computing benefits enterprises in many ways, but perhaps the driving force behind the increased cloud adoption is this: Organizations that use cloud services grow faster.

Still, this doesn’t eliminate the risks that cloud computing poses. Gartner’s Emerging Risks Report found cloud adoption as a top business risk cited by business executives. Among the cyber risks it poses is phishing, which accounts for 90% of data breaches across all industries. Phishing is also the most common network entry point that threat actors use.

In this post, we explored the current state of phishing attempts in the cloud/file storage industry. We also showed how Domain Reputation API could help enterprises fight off phishing attempts.

Phishing Attacks on Cloud/File Storage Services

Phishlabs’s 2019 Phishing Trends and Intelligence Report revealed that while phishing attacks targeting cloud storage and file hosting companies remained at a proportion of 12%, the actual volume of attacks rose by 48%.

The cloud service industry is among the top 5 prime targets of phishing attacks, joining the ranks of financial services, email services, payment services, and software-as-a-service (SaaS) sectors. Specifically, it came third in rank. Phishlabs noted that the number of attackers who used free hosting services and domains has doubled. Also, almost 50% of the attacks used free-to-use Secure Sockets Layer (SSL) certificates.

Phishing is most commonly carried out by impersonating a legitimate company. True enough, we found a fake cloud service domain on PhishTank: https://drivecloucl[.]org/storage/xxx[.]php. Notice the following:

• The domain uses a misspelled version of the word “cloud.”
• It is pretending to be either part of or closely related to icloud.com or onedrive.live.com, two of the most popular cloud and file storage services today.
• It uses the words “drive,” “cloud,” and “storage,” terms that are closely associated with cloud services.

With this domain tactic and a crafty message, there is a probability that end-users who are not well-versed in cloud services may think that the email containing this link is legitimate.

Our Investigative Tools: Domain Reputation API and WHOIS Search

We ran the domain https://drivecloucl[.]org/storage/xxx[.]php on Domain Reputation API, which returned a meager reputation score of 62.96. The ideal is 100 to be considered safe to access.

The tool also detected several red flags, including the following:

• It was registered only two months and 25 days ago (at the time of writing). While new registrations aren’t automatically suspicious, this one remains very recent as most brands tend to register domains of interest sometimes a year or more before launching their service.
• The domain’s SSL certificate was also recently obtained. Established cloud service providers typically have SSL certificates that are at least as old as their corresponding sites.

Let’s now take a look at this comparison of each domain’s registrant details returned by WHOIS Search:

drivecloucl[.]org

icloud.com

onedrive.live.com

Drivecloucl[.]org’s registrant is mentioned to be based in Panama, apparently availing the service of a domain privacy company to replace his or her own contact details. While, again, this doesn’t make the registrant a fraudster, a lot of cybercriminals prefer to hide their details in WHOIS records. In contrast, both domain registrations related to iCloud and OneDrive are U.S.-based with publicly-available contact information.

* * *

There is no doubt that cloud computing is a wise investment for organizations that want to improve their bottom line—a higher revenue translates to more profit. But as when considering the purchase or lease of any new property, they should make sure that the service provider they are looking into is a legitimate establishment. They can screen potential providers with Domain Reputation API to make sure they get the best value for their money without the risk of handing their credentials and funds to phishers.