What is the name of the domain?
r2.dev
What is the error number?
NA
What is the error message?
NA
What is the issue you’re encountering
Trouble resolving phishing hosted on r2.dev
What steps have you taken to resolve the issue?
Multiple abuse report attempts to Cloudflare
Registrar issues requre a Registrar ticket with Support
6fc70d25e4a931d9
In what area can we help you?
I don’t know
What are the steps to reproduce the issue?
Cloudflare team,
I am writing to escalate a critical security concern regarding phishing content directly hosted on Cloudflare’s R2.dev Storage infrastructure. Despite multiple reports since August 14, 2024, this malicious content remains active.
Previous Report Details:
Original Ticket ID: 6fc70d25e4a931d9
Submission Channel: abuse.cloudflare.com/phishing
Target Brand: Bill.com
Malicious URL: hXXps://pub-c195ccd795664d78bdeb2d18f48e5eab.r2[.]dev/blob.html
For standard phishing reports, Cloudflare typically provides us with the abuse contact information for the responsible Internet Service Provider or web host. However, when the content is hosted on Cloudflare R2 Storage (r2.dev), their response is limited to:
"Please be aware Cloudflare offers network service solutions including pass-through security services, a content distribution network (CDN) and registrar services. Due to the pass-through nature of our services, our IP addresses appear in WHOIS and DNS records for websites using Cloudflare. Cloudflare cannot remove material from the Internet that is hosted by others.
Accepted URL(s) on pub-c195ccd795664d78bdeb2d18f48e5eab.r2.dev:
hxxps://pub-c195ccd795664d78bdeb2d18f48e5eab[.]r2[.]dev/blob[.]html
We have notified our customer of your report.
We have forwarded your report on to the responsible hosting provider.
You may also direct your report to:
- The provider where r2.dev is hosted (provided above);
- The owner listed in the WHOIS record for r2.dev and/or;
- The contact listed on the r2.dev site.
Note: A lookup of the IP for a Cloudflare customer website will show Cloudflare IPs because we are a pass-through network. The actual website is still hosted at the hosting provider indicated above. If the hosting provider has any questions, please have the hosting provider contact us directly regarding this site. Due to attempted abuse of our complaint reporting process, we will only provide the IP of r2.dev to the responsible hosting provider if they contact us directly at [email protected]."
While this information is forwarded to the hosting provider, we have not observed any subsequent action over the last 3 months, nor have we received abuse contact details that would enable us to escalate the matter. Given that this content is hosted on Cloudflare R2 Storage, we are seeking guidance on alternative resolution paths. The standard abuse reporting form has proven ineffective in facilitating content removal for any sub-domains on R2.dev.
Please let us know if you have any questions.
Best Regards,
Infoblox Mitigations Team
