Looking to host a phishing site? Try Microsoft AzureWritten by Alan Buckingham on April 28, 2014 - 12:27PM @alanbuckingham
It’s sad but true that services can be taken advantage of. Microsoft has done everything right to try and put its Azure cloud hosting service in contention to compete with the likes of Amazon S3, but there are all always those looking to take advantage of a good thing. According to recent security research, that is exactly what is happening now.
The folks at Netcraft are always scanning the web, looking for hacks, vulnerabilities and fraud. Now, in a new report, the firm reveals that Microsoft’s generosity with Azure accounts is being taken advantage of. The draw here is multi-fold.
First is the free trial, which security researcher Robert Duncan describes. “In order to get a phishing site hosted at Azure, the fraudster has several options: steal the credentials for a Microsoft account, compromise a virtual machine running at Azure, or use Microsoft’s free trial which provides $200 of credit. Given the number of subdomains registered explicitly for phishing, it is unlikely that many fraudsters are exploiting legitimate customers’ virtual machines”.
But the generosity being taken advantage of goes beyond just that. Fraudsters can utilize the service’s free SSL certificates, as well. All sub-domains hosted through Azure are accessible via HTTPS, thanks to an Azure Websites SSL certificate. This adds a layer of legitimacy to sites that are not what they seem.
Associated email services are also being utilized. “Fraudsters are also using Microsoft-provided free email addresses (at live.com, hotmail.com, and outlook.com) to receive and store stolen phishing credentials. Fraudsters commonly use phishing kits to quickly deploy phishing sites — before deployment, the fraudster configures the phishing kit with his email address. If a victim is tricked by the phishing site into providing his credentials, they are sent back to the fraudster's email address” Duncan says.
All is not lost -- Azure’s free trial requires a phone number and credit card. While the bank information may well have been stolen, the access to the phone number used could prove to be a deciding factor. Phishers need to complete the registration using that phone number entered, so we will see if these cases are pursued.