The CloudSEK Threat Research Team has identified a sophisticated generic phishing mechanism leveraging Cloudflare’s workers.dev service.
This fraudulent campaign employs a generic login page that can dynamically impersonate any brand, enabling attackers to steal credentials from unsuspecting users.
The phishing page is hosted at workers-playground-broken-king-d18b.supermissions.workers.dev and utilizes advanced obfuscation techniques to evade detection by security engines.
Phishing Tactics
The phishing page is designed to appear as a webmail login portal but can be customized to impersonate specific brands by appending targeted email addresses to the URL with a # symbol.
For example, crafting the URL in the format workers-playground-broken-king-d18b.supermissions.workers.dev/#ahshs@google.com automatically transforms the page to resemble a Google login portal.
This is achieved by incorporating visual elements from the targeted organization’s legitimate website.
The attackers leverage thum.io, a free website screenshot generator, to take real-time screenshots of the domain in the victim’s email address (e.g., google.com).
These screenshots are then used as the background of the phishing page, creating an illusion of legitimacy.
Additionally, the phishing page uses Google’s favicon fetcher service to display the organization’s logo, further reducing suspicion.
Malicious Exfiltration Endpoint
Once users input their credentials on the phishing page, the data is exfiltrated to a remote server controlled by the threat actor, located at hxxps://kagn[.]org/zebra/nmili-wabmall.php.
The domain, which has been active for six years, is hosted on WordPress and may have been compromised to serve as the attackers’ credential collection endpoint.
A closer look at the page source revealed obfuscated JavaScript, stored in a file named myscr939830.js.
This obfuscation technique helps evade security scans but, upon deobfuscation, exposes the page’s functionality, including dynamic background generation and credential harvesting.
The phishing page also prevents users from viewing its source code, a tactic commonly used in phishing campaigns to avoid detection and inspection.
According to the Cloudsek, the registration history and six-year operational span of kagn[.]org suggest that the attackers may have exploited vulnerabilities in the domain’s hosting platform, potentially deploying backdoors to facilitate data exfiltration.
This phishing campaign highlights the exploitation of legitimate free services, such as Cloudflare and thum.io, to execute highly deceptive and customizable attacks.
Organizations should take proactive steps to ensure the security of their employees and customers.
It is crucial to educate employees about identifying phishing attempts and the dangers of generic phishing URLs.
Companies should implement phishing simulation programs to evaluate employee readiness and establish clear reporting mechanisms for suspected phishing activities.
Additionally, launching direct-to-customer awareness campaigns to educate users about potential phishing tactics can mitigate risks.
Security teams must also monitor for abuse of free hosting services, domain impersonation tactics, and identify endpoints exfiltrating sensitive data to prevent breaches.
