 |
|
|
| Getting a bit tired of these headlines about malware "delivery" via link shorteners or similar. Yeah, guess what - people can host files on the internet in various ways, what a shocker. |
|
| Krebs on Security shared data on absolute and relative phishing abuse by top-level domain in a recent post.
Yes, .com has the highest absolute number of phishing domains, but it also has the overwhelmingly highest number of registered domains period. The relative prevalence is only 24.2, as compared with 2nd-ranked (by absolute score) .top, with a phishing domains core of 422.7. That's still not the highest listed, which is .lol at 577.5. <https://krebsonsecurity.com/2024/07/phish-friendly-domain-re...> If you're looking at relative benefit vs. harm from blocking, blocking TLDs with a higher relative (abusive vs. legitimate) domains score gives an additional security benefit. Reputation-based scoring by TLD, domain, ASN, or basis is likely to become more prevalent over time. We've already been doing that for email for over a quarter century, with the Spamhaus Project being founded in 1998 (it reports abusive email domains). |
|
| sad truth
blocklists are effective and now we need things like DoH, 3rd-party dns providers and sketchy vpn's in order to internet mission fucking accomplished |
|
| Imagine trying to use the internet like an end user or a webdev if you couldn't use cloudflare.
Say blocking any cloudflare domain or IP. Many cuz ur into privacy or your parinoid....who cares why. |
|
| And let's also not conflate policing the good old internet with policing today's internet. There is still freedom that could be lost, but it's hard to see for all the trackers and malware. |
|
| Wouldn't anyone serious about their website being reachable everywhere get their own domain name?
It wouldn't be an issue for trying it out if you don't block it yourself. |
|
| > I question whether this pans out like swatting. Can I get someone taken down by abusing abuse reports?
Not generally, no. Typically, abuse departments at ISPs don't blindly cut off people's internet access just because someone complains. They require evidence (server logs, message headers, etc) and there will be an investigation as well as multiple communications between an ISP and a user being accused of violating the ISP's terms of service. The same is true when the issue is between ISPs and their upstream providers. Keep in mind too that for both ISPs and upstream providers, everyone is naturally and strongly incentivized to not cancel the accounts of the customers who pay them. There is one situation where false reports can get someone taken down. DMCA notices have this potential. ISPs can face billions in fines if they refuse to permanently disconnect their customers from the internet based on nothing more than unproven/unsubstantiated allegations made by third party vendors with a long history of sending wildly inaccurate DMCA notices. So far, media companies have been winning in courts and ISPs have been losing or (more often) settling outside of court. Everyone is still waiting to see how the case against Cox ends (https://torrentfreak.com/cox-requests-rehearing-of-piracy-ca...) |
|
| They should act (on malware et al.) when people report it, https://www.cloudflare.com/en-gb/trust-hub/reporting-abuse/
That said, they're also using the "utility argument" - just as your phone provider won't screen you at every call you make, your electricity provider won't lock your supply until you authenticate use for non-nefarious purposes , your ISP won't content-filter, Cloudflare also says they won't police per-use other than when under explicit legal mandate (court injunctions). That's fair enough, at least to me. |
|
| and Cloudflare links to Cloudflare, https://www.cloudflare.com/en-gb/trust-hub/reporting-abuse/
Apocryphally saying "they all suck at this but Cloudflare sucks most" is just moaning. Any free/near-free hosting or caching service can be used to distribute malware. Mail services have been used to push malware for decades, and while many of them filter content, that's a cat&mouse game a determined malactor will occasionally win. Are they really "so much worse" than anyone else ? (ex-CF so pillory me for ex-cusing my ex-employer; as said, to me, "all cooks use water") |
|
| > meaning there's no way to report abusive domains for which they're the registrar and/or for whom they host DNS
Yes there is: [email protected] > This company spent YEARS saying that they don't "host" anything Yes, for their "proxying" service, they take no action when it comes to that, all they will do is forward the report to the hosting provider. > They don't even have a category for spam Use the general category or [email protected] > It's rate limited so that even a human reporting multiple items has to sit and wait. [...] They have a CAPTCHA on the abuse reporting form. Yes, I agree. I reported hundreds of ".pages.dev" sites (hosted by their Cloudflare Pages service), the form restricts it to 1 unique domain per report, so I had to make hundreds of individual reports but they did take them down. > they are "so much worse" than anyone else I don't agree with this, in my experience they have taken action on some reports meanwhile some other companies have done nothing (DigitalOcean (Doesn't deal with any of my reports, known for being infested with bad actors, now they're the first ASN I block when I'm setting up a firewall), AWS (their customer spammed me for months, tried telling me the email didn't originate from them, but it did.), Dynadot (will not do anything without court orders, warrants) ) |
|
| I don’t think you know how the internet works if you think you can police every single URL. Ok now I’ve hosted malware on 121.23.65.89. What are you going to do? |
|
| > I don't think it's unreasonable for people to expect cloudflare to be policing their own service
On the contrary. The tendency of those expectations turning into assumptions is the wider issue. |
|
| Just downloading a LNK or VBS file should be a massive red flag. Whoever decided that it was a good idea to hide file extensions from people by default was an idiot. |
|
| Whatever differences exist between a publicly accessible google drive and an innocuous seeming link to a cloudflare owned domain that takes users to a random malicious server without warning, we can be reasonably sure that those differences are meaningful because these scammers are flocking to the cloudflare service instead of using google drive.
Something about this cloudflare service is really attractive to these scammers in way that google drive isn't. Maybe it's because these scammers just haven't discovered how great google drive is as a malware delivery platform, but I suspect that they have. Google drive has something of a history for hosting malware. https://www.techrepublic.com/article/google-drive-accounted-... Now maybe all the attention on how google drive became the hottest place in town to spread malware caused google to get off their ass and do something about the abuse of their online service, and it's become a less hospitable place for criminals than it used to be. Or, maybe google has continued to neglect their responsibility to keep criminals off their service and it's the public who have just gotten more suspicious of the links to google drive in their inboxes making google drive campaigns less effective and its the novelty of cloudflare tunnels that makes them so effective. Maybe it's just easier to create cloudflare links that don't require accounts than it is to keep creating google drive accounts. Where it matters most though, there really isn't much difference between the two services. Both have a responsibility to keep their services from being used to facilitate crime. Both should respect RFC 2142, but don't. Both can eventually get around to removing links to malware after you report it to them enough while doing basically nothing to stop that same malware from going right back up again at another URL/account. Both have more than enough resources and talent to be doing a much better job at internet abuse handling than they have been. They both just don't care enough to bother. |
|
| > Even dumb pipes need to be maintained when they start carrying something toxic/harmful that isn't supposed to be there.
Quis custodiet ipsos custodes? https://en.wikipedia.org/wiki/Quis_custodiet_ipsos_custodes%... > In this case they're linking to .LNK and .VBS, but scammers using these kinds of services are doing things like repeatedly uploading the exact same malware infected file It sounds like you advocate for proxy servers to inspect traffic at the application layer. Is that right? In the OSI reference model, the communications between systems are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application. |
|
| It would be nice if Cloudflare tried a bit harder to respond to abuse reports.
I don't think they've ever acted when I've reported obvious phishing and malware hosting to them. |
|
| If it isn's Cloudflare tunnels, it's gonna be asking google to translate some webpage you host with a payload in the URL or something
This isn't news worthy |
|
| I would be disappointed in the attackers if it didn't. Free end-to-end encryption without any accountability tying it to a user? It's begging for abuse. |
|
| I actually wrote about malicious use of this very tool a year ago[0] (almost to the day). The only thing new here seems to be what they’re doing through the tunnels, and the apparent success they’re having with this method for it to increase as a proportion of their overall attack techniques.
TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible. 0: https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf... |
|
| Society better figure something out soon, because with all these ultra realistic deepfakes coming up, we better have a way for people to establish whether the source is authentic or not. |
|
| Picked up? You'd configure Crowdstrike to stop any random exe from running at all. Doesn't matter if the attacker's using a known bad exe or not. |
|
| this reminds me of when those AOL free trial account disks were all over the place. in many circles an AOL subdomain would get instabanned |
|
| Even the *.ipt.aol.com ban was needed because one AOLer would use the HOST.ipt.aol.com rdns to ban evade and ruin it for everybody.
Prodigy / CompuServe / Blue Light gang checking in |
|
| Cloudflare has been infamous among sysadmins and threat hunters for over a decade [1,2] now for having an almost-nonexistent moderation program. Their services have been routinely abused by malicious actors for years [3,4,5,6,7] They've arguably been the single largest commercial provider for criminals globally over that time period, including non-tech criminals like drug traffickers and actual terrorists [8,9], to say nothing of aiding and abetting war criminals [10].
In fact, Cloudflare is actually the second largest DNS provider in the world by number of domains served. [11] They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites. Their extensive history of indiscriminately offering "free" services to evildoers likely ties back to their true purpose, which Matthew Prince has admitted to [12], which is to sell all of those passwords, all of that PII, all of your privacy, not only to the US government, but also to other bidders. It is no exaggeration to say that anyone opposed to spam, phishing, malware, cybercrime, terrorism, war crimes, government surveillance dragnets, and infringements upon one's own digital privacy should have nothing but utter contempt for the soulless monsters responsible for this corporate atrocity. If you are as passionate about the subject as I am after reading some of these citations, I'd encourage you to boycott any websites using CF that you don't need to visit, and make plenty of phone calls to California senators, representatives, and the governor demanding that the state of California revoke Cloudflare's corporate charter and right to conduct business in the state. [1] https://www.malwarebytes.com/blog/news/2014/12/free-ssl-cert... [2] https://forum.spamcop.net/topic/14194-cloudflare-bulletproof... [3] https://thehackernews.com/2023/08/cybercriminals-abusing-clo... [4] https://www.threatdown.com/blog/cloudflare-tunnel-increasing... [5] https://any.run/cybersecurity-blog/clouflare-phishing-campai... [6] https://venturebeat.com/security/rogue-ad-network-site-likel... [7] https://portswigger.net/daily-swig/cybercriminals-use-revers... [8] https://www.trendmicro.com/vinfo/us/security/news/cybercrime... [9] https://cyberscoop.com/cloudflare-ipo-terrorism-narcotics/ [10] https://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-... [11] https://bgp.he.net/report/tophosts [12] https://0xacab.org/blockedbyriseup/deCloudflare/-/raw/master... |
|
| Your sources are ass man. Yah newsflash, CF is a hosting site and people make phishing pages. This shit is true with literally any cloud provider today that’s relevant on the internet. |
|
| Original title was "Threat Actor Abuses Cloudflare Tunnels to Deliver Rats", and even if I knew about malware through Cloudflare tunnels, it got my hopes too high. |
|
| If history is any indication you can probably keep having the nice thing, because CF tends to look the other way when bad actors abuse their infrastructure. |
|
| Depends on if you're ok with the tradeoffs of KYC as they require comprehensive identity verification, and depending on service changes to structure to adhere to a per-person account model. |
|
| Okay, their main service is a passthrough with a sprinkle of blocking on top.
GGP is asking for more blocking, so I don't think they mind that particular reason. |
|
| Original title has “RATs”, but that seemed to have gotten edited/autocorrected away when it got to HN. Because, damn, that’s a hack I want to read about. |
|
| I thought this was a terrible pun about using tunnels to deliver rodents, not delivering remote access trojans. I don't know which I would have liked better |
They also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.
The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.
In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.
This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.