Threat Research

Tech Support Scam Pivots from DigitalOcean to StackPath CDN

Securonix

Attackers who previously abused DigitalOcean to host a tech support scam have expanded their operation to StackPath CDN to distribute the scam. Netskope Threat Labs observed a 10x increase in traffic to StackPath-hosted scam pages from February 1 to March 16 and expect the scammers to pivot among additional cloud services to deliver the scam and lure victims into calling the support hotline. #StackPathCDN #DigitalOcean #AzureWebApps #AmazonCloudFront #NetskopeThreatLabs #TechSupportScam

Keypoints

  • Tech support scams are shifting from a single cloud host to multiple cloud services, including StackPath CDN, DigitalOcean, Azure Web Apps, and CloudFront.
  • Traffic to scam pages hosted on StackPath CDN surged by about 10x between Feb 1 and Mar 16, indicating increased distribution on that platform.
  • The scammers’ end goal remains convincing victims that their computers are infected and prompting them to call a “support” hotline.
  • The operation is now pivoting across cloud providers to evade takedowns and detection, not relying on a single service.
  • Victims are primarily targeted in North America, Asia, and Southern Europe.
  • Recommendations emphasize URL verification, typing URLs directly, and avoiding contact with fake “infection” prompts or phone numbers; organizations should strengthen web and cloud traffic monitoring and implement RBI.
  • The threat is active enough that Netskope Threat Labs continues to monitor and report indicators across multiple hosting platforms.

MITRE Techniques

  • [T1583.003] Cloud Infrastructure – The attackers acquire and abuse cloud infrastructure to host scam pages and pivot among providers to evade takedowns. “the scammers appear to be shifting their focus from abusing a single cloud service to instead simultaneously abusing multiple services.”

Indicators of Compromise

  • [Domain] Web hosting domains – a4a2r9q8[.]stackpathcdn[.]com, a5q2c2k7[.]stackpathcdn[.]com, and 2 more domains
  • [Domain] CloudFront/CDN domains – dvjqy1l7irdg2[.]cloudfront[.]net, d1npxgc1ym10zi[.]cloudfront[.]net, and 1 more domain
  • [Domain] Azure Websites – system-016-019er[.]azurewebsites[.]net, keygenfound-errorcode4cnnfd[.]azurewebsites[.]net, and 2 more domains

Read more: https://www.netskope.com/pt/blog/tech-support-scam-pivots-from-digitalocean-to-stackpath-cdn