Note that the link to the OneDrive URL does not come from IPFS. It comes from the URL fragment, which makes it even more murky as to whether the IPFS hash should even be blocked! Perfectly legitimate sites could be using exactly the same content with no knowledge of the phishing attack. It is just copy and pasted from https://itty.bitty.site/
Ah, I didn't catch that the Base64 string was part of the query param, not stored in IFPS. Yeah, seems like IFPS data isn't offending whatsoever in this case.
Interesting that it is 'facilitating' phishing (as in dependency in attack chain), but only to the extent that would apply to a number of general-purpose open source libraries, or the browser, or any OS or ISP.
Seems like DigitalOcean made the wrong choice, but the technical complexity of the situation is enough to not put too much blame on them. Unresponsive support is disappointing.
I agree that it's too complex to expect front-line abuse support to work out what's going on, but yes I did expect them to turn my networking back on after I blacklisted the hash.
Digitalocean disabled network access to one of my droplets too. They won't respond to your emails, but poke them on twitter and hopefully you will get a response back. mine to 10 days to get a reply.
Interesting question of who has culpability:
- Server receiving creds seems clearly in wrong
- OneDrive hosting the html file which can be used to exfiltrate creds is a bit murkier
- Hosting a link to the onedrive url on IPFS is murkier still.