Cloudflare Developer Domains Abused For Cyber Attacks

Cloudflare Pages, a popular web deployment platform, is exploited by threat actors to host phishing sites, as attackers leverage Cloudflare’s trusted infrastructure, global CDN, and free hosting to quickly set up and deploy convincing phishing sites. 

Automatic SSL/TLS encryption enhances the sites’ legitimacy, while custom domains and URL masking further obfuscate their malicious nature. Cloudflare’s reverse proxying capabilities hinder the traceability of the attack origin, making it difficult for security measures to detect and mitigate these threats.

Phishing attackers are abusing Cloudflare Pages.dev to host intermediary redirects, which hide the true malicious URL from security measures, making it appear legitimate. 

The attack starts with a phishing email containing a link, often in a fake PDF, where clicking the link redirects the user to the Cloudflare Pages site, which then forwards them to the actual phishing page designed to steal credentials.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

To further evade detection, attackers use BCC fields instead of CC to hide recipient lists, making it difficult to assess the campaign’s scope. 

The attacker employs a multi-stage phishing attack, as they first entice users with a “Review Now” button, which, when clicked, leads to a seemingly legitimate Microsoft OneDrive page. 

However, the document hosted on OneDrive is actually a deceptive company proposal. To further legitimize the attack, the attacker uses a Cloudflare Pages URL disguised as an “Open” button. 

Once clicked, the user is redirected to a malicious Microsoft Office365 login page designed to steal their credentials, which can expose organizations to various security risks, including data breaches, business email compromises, and potential system compromises. 

Cloudflare Workers, a serverless platform, allows developers to execute JavaScript code at the edge of Cloudflare’s network. While this can improve performance and security, it also presents a risk. 

Malicious actors can exploit this platform to deploy malicious code, bypassing traditional security measures, which can potentially steal sensitive information, launch DDoS attacks, or compromise user devices.

The workers can be exploited to launch sophisticated phishing attacks. By creating a deceptive human verification page, attackers can trick victims into believing they are interacting with a legitimate website. 

Once a user passes the verification, they are redirected to a malicious phishing site designed to steal sensitive information like Microsoft Office365 credentials and PII, which leverages the familiarity of security measures to lower victim vigilance and increase the success rate of the attack.

Recent data from Fortra’s SEA team indicates a significant rise in phishing attacks targeting Cloudflare Pages and Cloudflare Workers, where Cloudflare Pages saw a 198% increase in attacks in 2024, while Cloudflare Workers experienced a 104% surge. 

Cybercriminals are exploiting these platforms to launch phishing attacks, bypassing Cloudflare’s security measures.

Users and developers are advised to exercise caution, verify website legitimacy, enable 2FA, and implement strong security practices to mitigate the risks associated with these attacks.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar