Hackers Exploiting Amazon, Google & IBM Cloud Services To Steal Customer Data

Criminals are exploiting cloud storage services to host phishing websites for SMS scams by abusing the static website hosting feature of cloud storage to store HTML files with malicious URLs, which are included in SMS text messages that bypass firewalls because they contain trusted cloud platform domains. 

Clicking the link in the SMS directs users to a seemingly legitimate website hosted on cloud storage, which then redirects them to the phishing site to steal their information. 


Attackers are exploiting Google Cloud Storage by hosting a malicious webpage within a bucket, which leverages the “HTML meta refresh” technique, a web development function that automatically reloads or redirects the user to another webpage after a set time.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs:Try Free Demo 

Spam emails contain links to this initial webpage hosted on Google Cloud Storage, tricking users into unknowingly visiting the malicious site. 

examples of spam messages

The attacker leverages Google Cloud Storage by creating a bucket named “dfa-b” to host a malicious HTML page, “dfmc.html,”  which exploits the “meta refresh” tag with a zero-second delay to redirect unsuspecting users to a different URL automatically. 

The URL that is the target of the attack probably contains more parameters for tracking or malicious purposes. 


Malicious actors leverage a meta refresh tag within SMS phishing messages to automatically redirect users to fraudulent websites (scam website landing page, page 2, page 3) disguised as legitimate gift card offers. 

The technique aims to steal personal and financial information, as the redirection utilizes cloud storage services like Google Cloud Storage, though Amazon Web Services and IBM Cloud are also exploited for similar scams.  

Scam SMS containing a link to a static website hosted on Amazon AWS

Scammers increasingly leverage cloud storage services like Amazon AWS, IBM Cloud, and Blackblaze B2 Cloud to conduct phishing attacks via SMS, as these messages contain links that appear to be legitimate cloud storage URLs. 

Scam SMS containing a link to a static website hosted on Blackblaze B2 Cloud

However, clicking the link directs users to malicious static websites designed to steal personal information. Upon clicking the link, the user might be automatically redirected to a website that impersonates a popular platform, such as a bank login page. 

According to Enea, the technique allows scammers to bypass security filters because the initial link originates from a trusted cloud provider, making it seem more credible, which increases the success rate of these phishing attempts as users are less likely to suspect a link from a legitimate cloud service provider.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Sign up for free.

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

10 Best Linux Firewalls In 2024

At present, many computers are connected via numerous networks. Monitoring all traffic and having something…

5 mins ago

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

9 hours ago

Beware of Free VPNs that Install Malicious Botnets

Virtual Private Networks (VPNs) have become essential tools for internet users. However, the allure of…

13 hours ago

HPE Critical 3PAR Processor Flaw Let Remote Attackers Bypass Authentication

Hewlett Packard Enterprise (HPE) has addressed a critical vulnerability in its 3PAR Service Processor software…

16 hours ago

Chrome Security Update: Patch for Multiple Flaws that Leads to Remote Code Execution

Google has announced the release of Chrome 126, a critical security update that addresses 10…

17 hours ago

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop

A recent update to the CrowdStrike Falcon sensor is causing major issues for Windows users…

18 hours ago