Cybercriminals are increasingly exploiting Cloudflare Pages (Pages.dev) and Workers (Workers.dev) for phishing and other attacks, leveraging Cloudflare’s trusted reputation and services for malicious purposes.
The platform hosts various cyber threats, including phishing attacks, malicious web pages, and targeted email lists, which provides tools to create and deploy these harmful resources, posing significant risks to online security.
Cloudflare Pages, a popular web deployment platform, is exploited by threat actors to host phishing sites, which leverages Cloudflare’s global CDN, appear legitimate, load quickly, and can reach a wider audience, increasing the success of phishing attacks.
It’s free hosting and SSL/TLS encryption, coupled with custom domains and URL masking, facilitate rapid and stealthy deployment of phishing sites, making them more convincing and harder to trace for cybercriminals.
Researchers identify a rise in phishing campaigns using Cloudflare Pages redirects within emails to evade detection and leverage bccfoldering to hide recipient lists, increasing campaign success.
The attack leverages Microsoft OneDrive’s credibility to trick users into downloading a malicious document. A seemingly legitimate “Review Now” button redirects users to a Cloudflare Pages URL hosting the final phishing page, disguised as a company proposal.
The malicious redirect URL compromises user credentials, potentially leading to data breaches, email compromise, malware infiltration, lateral movement, and escalated privileges within organizations.
Cloudflare Workers empowers developers to deploy and run JavaScript code at the edge of Cloudflare’s CDN, enabling client-side execution for reduced latency and enhanced performance in web applications.
It is a serverless platform that can be exploited for malicious activities like DDoS attacks, phishing, data exfiltration, malicious redirects, script injection, security bypasses, and automated attacks, posing significant security risks.
Cloudflare Workers was used to create a CAPTCHA-like human verification page, designed to trick victims into trusting a Microsoft Office365 phishing attack, increasing the likelihood of successful credential and PII theft.
2023 saw a significant rise in phishing attacks targeting Cloudflare Pages and Workers. Fortra’s SEA team reports a 198% increase in Cloudflare Pages attacks and a 104% surge in Cloudflare Workers attacks, with projected year-end totals exceeding 1,600 and 6,000 incidents, respectively.
Cybercriminals are leveraging Cloudflare Pages and Workers to launch attacks, exploiting the platform’s capabilities before security measures can fully mitigate the threats, despite Cloudflare’s efforts to combat abuse.
Users should exercise caution with unfamiliar websites, verify URLs, and enable 2FA. Developers on Cloudflare Pages should update dependencies, use HTTPS, monitor for threats, and report phishing attempts to Cloudflare.
 and Workers (Workers.dev) for phishing and other attacks.){kind=link}