Threat Research

Attackers Increasingly Abusing DigitalOcean to Host Scams and Phishing

Securonix

Two sentences: Netskope Threat Labs observed a 17x increase in traffic to malicious pages hosted on DigitalOcean, driven by new campaigns of tech support scams mimicking Windows Defender and by phishing pages targeting financial institutions and webmail users. Attackers leverage free DigitalOcean hosting, dynamic phone numbers via URL parameters, and multilingual pages to spread scams and harvest credentials and financial data. #DigitalOcean #WindowsDefender #AmericaFirstCreditUnion #Huntington #Truist #IONOSWebmail

Keypoints

  • There has been a 17-fold increase in blocking malicious content hosted on DigitalOcean over six months, linked to new scam campaigns.
  • Attackers run tech support scams that imitate Windows Defender to coerce victims into calling a fake “help line” and potentially granting remote access or paying for bogus fixes.
  • Phishing pages hosted on DigitalOcean target financial institutions (America First Credit Union, Huntington, Truist) and IONOS Webmail, with victims primarily in North America and Europe.
  • Attackers use free-tier DigitalOcean apps to host scam content and exploit the ability to change the phone number via a URL parameter, enabling multiple numbers and instances without touching HTML/scripts.
  • Threat intel shows numerous DigitalOcean domains tied to these campaigns, and the attackers reuse HTML across instances to scale operations.
  • Recommendations include URL checks, directly typing URLs, blocking known phishing sites via policy, and using Remote Browser Isolation for high-risk websites.
  • Netskope Threat Protection and Advanced Threat Protection provide coverage for this campaign, including signatures and sandbox detections.

MITRE Techniques

  • [T1583] Acquire Infrastructure – Cloud hosting used to host scams and phishing pages on DigitalOcean. ‘Attackers are creating free-tier DigitalOcean apps to host the scam and phishing pages.’
  • [T1566.001] Phishing: Spearphishing Link – Use of malvertising to redirect victims to scam pages that mimic legitimate sites and steal credentials and financial data. ‘Attackers typically use malvertising to redirect victims to these scam pages.’

Indicators of Compromise

  • [Domain] Domain hosting scam/phishing pages on DigitalOcean – au-eacj4.ondigitalocean[.]app, clownfish-app-2-acvrg.ondigitalocean[.]app, clownfish-app-3gui7.ondigitalocean[.]app
  • [Domain] Additional DigitalOcean domains used in the campaigns – coral-app-66eu3.ondigitalocean[.]app, coral-app-lql2j.ondigitalocean[.]app
  • [Domain] More DigitalOcean domains listed in the article – coral-app-oheld.ondigitalocean[.]app, coral-app-yn7we.ondigitalocean[.]app
  • [Phone Number] Observed numbers on tech scam pages – +1-844-676-9966, +1-855-341-6126, +1-855-341-7111, +1-855-450-7009, +1-855-598-1009, +1-855-673-8111, +1-855-676-9050

Read more: https://www.netskope.com/blog/attackers-increasingly-abusing-digitalocean-to-host-scams-and-phishing

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint