Yesterday we reported on a phishing attack that utilizes the Azure Blob storage solution in order to have login forms secured by a Microsoft issued SSL certificate. After reviewing the URLs utilized by the same attacker, BleepingComputer noticed that these same bad actors are also utilizing the Cloudflare IPFS gateway for the same purpose.
Last month Cloudflare released an IPFS gateway that allows users to access content stored on the IPFS distributed file system through a web browser. As part of this implementation, all connections to the IPFS gateway are secured using SSL certificates issued by CloudFlare.
By storing the html for phishing scams on IPFS, the attackers can then utilize Cloudflare's IPFS gateway to display the stored HTML document. For example, this attacker is using the gateway to display the following phishing form.
The benefit of doing this is that the forms will then be secured using a SSL certificate issued by a well known company like Cloudflare, which could help to convince users that the form is legitimate.
When the user submits the form, their phone number and email will be submitted to a page operated by the attackers at searchurl.bid. The user will then be redirected to a PDF titled "Business Models, Business Strategy and Innovation".
This attacker has been involved in numerous phishing schemes since July 2018. When using VirusTotal to get a list of known URLs related to the searchurl.bid domain, you can see numerous phishing form submission pages.
Some of these pages are now dead, but others are still live and display phishing forms for Google accounts, Windows accounts, DocuSign, and more.
Even though these these web page addresses do not look legitimate, many people in a rush may not pay attention and simply enter their info. For this reason, it is always important to properly educate users on how to spot and avoid phishing scams.