Cloudflare developer domains are increasingly being abused by threat actors
- Fortra security professionals discover a new phishing campaign abusing two Cloudflare domains
- Pages and Workers are used to bypass email protections and redirect people to phishing pages
- Activity has increased significantly this year
Cybercriminals are abusing two Cloudflare domains to enable phishing attacks and send malware to their victims, researchers claim.
New research from cybersecurity experts Fortra claims the trend is increasing, especially compared to 2023.
The domains, called ‘pages.dev’ and ‘workers.dev’, are used to implement web pages and serverless computing, and given Cloudflare’s good reputation among the general public, the crooks can bypass various endpoint protection tools and successfully achieve their targets.
A wave of abuse
Pages is a free platform that allows front-end developers to deploy and host static websites or JAMstack applications directly from their Git repository, and into Cloudflare’s Content Delivery Network (CDN).
Workers, on the other hand, is a serverless platform for deploying and running JavaScript, TypeScript, or Rust code at the edge to build scalable and performant applications.
However, scammers use it to host intermediary phishing pages that redirect victims to actually malicious sites. The attack starts with the usual phishing email, urging the victim to address an issue immediately. The email contains a .PDF file or a link in the body itself. However, because the link goes to Cloudflare’s domains, most email security solutions won’t flag it as suspicious or malicious.
Victims are also more likely to be wary if they see Cloudflare’s name in the link or PDF file.
“Fortra’s SEA team has observed a 198% increase in phishing attacks on Cloudflare Pages, from 460 incidents in 2023 to 1,370 incidents as of mid-October 2024,” the company said in its report. “With an average of approximately 137 incidents per month, the total number of attacks is expected to exceed 1,600 by the end of the year, representing an expected increase of 257% year-on-year.”
The employees are not doing much better either. “We have witnessed a 104% increase in phishing attacks on this platform, from 2,447 incidents in 2023 to 4,999 incidents this year,” the researchers said.
“Currently averaging 499 incidents per month, total volume is expected to reach nearly 6,000 by the end of the year, reflecting an expected increase of 145% over the previous year.”
All phishing starts the same way: with an email message that requires urgent attention. It could be an outstanding invoice, a return, a security alert, or a time-sensitive giveaway. This fear of missing out or making things worse causes victims to take action without thinking about what they are doing. As a result, they often share their login credentials with the attackers, install malware on their computers, or even share banking and other financial information.
The best way to protect yourself from phishing is to use common sense and be careful when reading emails and opening attachments, even if they come from seemingly trustworthy sources like Cloudflare.
Via BleepingComputer