Increase in the Number of Phishing Messages Pointing to IPFS and to R2 Buckets


Summary:
Credential-stealing phishing remains a persistent threat, with threat actors continually evolving their tactics. While various methods for hosting phishing pages exist, including third-party services and email attachments, traditional approaches involving internet-connected servers remain common. A recent trend observed involves an increase in phishing campaigns utilizing IPFS (InterPlanetary File System) and R2 buckets, a Cloudflare object storage service, to host malicious content.

An analysis of spam trap data reveals a significant uptick in phishing campaigns leveraging IPFS and R2 buckets starting around mid-February. Over half of the newly observed campaigns linked to pages hosted on IPFS or R2 buckets. While these phishing messages may be easily identified by spam filters, the trend suggests a deviation from the usual state of affairs.

Although the increase in these messages may not pose a substantial threat to most organizations, it's prudent to consider mitigations. Limiting user access to IPFS and R2 content through DNS or URL filtering could be effective. Blocking access to *.r2.dev for R2 buckets is straightforward, while for IPFS, access can be limited through specialized gateways operating on known domains.

Analyst Comments:
The observed increase in phishing messages utilizing IPFS and R2 buckets highlights the adaptability of threat actors and their willingness to leverage emerging technologies for malicious purposes. While these messages may not pose a significant threat to organizations with robust security measures in place, it's essential to remain vigilant.

Suggested Corrections:
Implementing proactive measures such as limiting user access to IPFS and R2 content through DNS or URL filtering can provide an added layer of defense against credential theft attempts. Additionally, organizations should regularly review their security protocols and stay informed about evolving phishing trends to ensure effective mitigation strategies.

Link(s):
https://isc.sans.edu/diary/Increase...ages+pointing+to+IPFS+and+to+R2+buckets/30744

Contact Us for Threat Assistance Back to Current Threats

Just Starting?



Contact LACyber for More Info



Current Active Cyber Threats