Microsoft Azure is phishing-friendly

Summary:Free hosting, free SSL certificate, free subdomains and free anonymizing proxy make Azure a powerful platform for phishing.

Internet research and intelligence firm Netcraft is reporting that Microsoft Azure is becoming popular as a hosting site for phishing attacks.

Netcraft identified several examples of what they call "the most egregious examples targeting well-known institutions:"

  • itune-billing2update-ssl-apple.azurewebsites.net (Apple)
  • paypalscurity.azurewebsites.net (PayPal)
  • www22online-americanexpress.azurewebsites.net (American Express)
  • 3seb-verifiedbyvisa.azurewebsites.net (Visa)
  • login-comcastforceauthn.azurewebsites.net (Comcast)
  • cielo-2014.cloudapp.net (Cielo)

In order to attract web developers, Microsoft has made many powerful facilities free for an evaluation period which is far longer than the lifetime of the average phishing site.

In addition to 30 free days of hosting and a $200 credit on Azure charges, developers can get free subdomains off Microsoft's azurewebsites.net (a domain unlikely to be blocked); a free SSL certificate, free email addresses and a free anonymizing proxy.

azure-paypal-ssl
An Apple phishing site on itune-billing2update-ssl-apple.azurewebsites.net, image courtesy Netcraft Site Report

One particular problem with this arrangement identified by Netcraft is that the free SSL certificates provided by Microsoft do not come with an OCSP responder, and so are irrevocable in many client programs, Mozilla programs in particular.

In all likelihood, phishers aren't using any of the more sophisticated features of Azure, but if they wanted to, they could have access to SQL Server databases, mobile push, media streaming and Hadoop for big data analysis.

Netcraft notes that Microsoft has some weapons that could be used to track down these attackers, particularly the fact that a phone call must be made in the registration process.

Topics: Security, Cloud, Microsoft

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.