Researchers have identified a sophisticated phishing tactic leveraging Cloudflare’s workers.dev, a free domain name service, to execute credential theft campaigns.
The modus operandi involves a generic phishing page that can impersonate any brand, with significant technical ingenuity aimed at deceiving unsuspecting users and evading detection.
The phishing page, hosted on the URL “workers-playground-broken-king-d18b.supermissions.workers.dev,” is designed to harvest credentials from victims.
.png
)
The attackers employ a clever customization technique to make the generic phishing page appear as if it belongs to a specific brand.
By appending an employee’s email address to the URL, separated by a “#” symbol, the page dynamically takes on the appearance of a targeted brand’s login portal.
For instance, adding “#ahshs@google.com” to the URL transforms the page into a fake Google login interface.
The phishing page uses the free screenshot generation service, Thum.io, to fetch an image of the legitimate organization’s domain (e.g., google.com).
This image is then used as the background for the phishing site to enhance its authenticity and fool victims into believing they are on a genuine login page.
Credential Exfiltration
When victims input their credentials on the phishing page, the stolen data is exfiltrated to a remote endpoint hosted at “hxxps://kagn[.]org/zebra/nmili-wabmall.php.”
The phishing page’s Document Object Model (DOM) is obfuscated using JavaScript (file: myscr939830.js) to prevent detection by scam engines.
Although the obfuscation lacks sophistication and was easily deobfuscated by researchers, the measure effectively deters less advanced detection methods.
Once deobfuscated, the source code revealed how the page dynamically generates backgrounds using free services like Google’s favicon fetcher and Thum.io to create brand-specific phishing interfaces.
Additionally, the phishing page blocks users from viewing its source code, further complicating detection and analysis efforts.
This functionality is achieved by manipulating JavaScript controls to disable source code access, a tactic frequently used to frustrate security teams.
Broader Use of Phishing Tactics
The analysis of the JavaScript file (myscr939830.js) revealed that it is also being used in other phishing campaigns hosted on Cloudflare’s r2.dev platform.
An example URL demonstrated how the same script underpins additional phishing attacks.
Additionally, researchers found that this obfuscated script was being distributed via the free blockchain storage service web3.storage, indicating the attackers’ use of decentralized hosting solutions.
The credentials exfiltrated by these phishing sites are sent to the domain “kagn[.]org,” which has been linked to the threat actor.
This domain, registered six years ago and hosted on WordPress, appears to have been compromised or backdoored by the attacker, as its endpoint “/zebra/nmili-wabmall.php” is actively used for this campaign.
To counter these advanced phishing threats, organizations are advised to educate employees about detecting and reporting phishing attempts.
According to the CloudSek, phishing simulations should be conducted regularly to test employees’ awareness and response capabilities.
Furthermore, organizations should also roll out direct-to-customer (D2C) awareness campaigns, urging customers to stay vigilant against such scams and to verify web pages before entering sensitive information.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
