Cloudflare Abused by Hackers for Phishing and Malware Distribution
Popular web services from Cloudflare, designed to simplify website building and deployment, are being exploited by cybercriminals for dangerous phishing attacks and malware dissemination, cybersecurity firm Fortra warns.
The abuse of Cloudflare’s "pages.dev" and "workers.dev" platforms has surged dramatically. Fortra reports a 100% to 250% increase in malicious activity compared to 2023.
Malicious actors are leveraging Cloudflare’s trusted reputation, reliable service, and cost-effective hosting to enhance the credibility of their schemes. The company’s reverse proxying setup further complicates detection efforts.
Cloudflare Pages: A Gateway for Phishing
Cloudflare Pages empowers developers to build and host lightning-fast websites on Cloudflare’s global network. This user-friendly platform unknowingly provides an entry point for cybercriminals.
Fortra reveals that attackers are using Cloudflare Pages to host intermediate phishing pages. These pages cleverly redirect victims to fraudulent sites mimicking legitimate platforms like Microsoft Office 365. Victims typically land on these pages through malicious links embedded in PDFs or phishing emails that slip past security filters due to Cloudflare’s trusted status.
"Fortra’s SEA team has observed a 198% increase in phishing attacks on Cloudflare Pages," the cybersecurity firm states, “rising from 460 incidents in 2023 to 1,370 incidents as of mid-October 2024.”
Furthermore, Fortra highlights the bccfoldering tactic employed by these attackers to conceal the scale of their email campaigns.
Source: Fortra
By hiding recipients in the email envelope rather than the header, attackers obscure the true scope of their phishing operation, making it difficult to assess the campaign’s impact.
Fortra predicts a staggering 257% increase in Cloudflare Pages phishing attacks by the end of 2024.
Source: Fortra
Cloudflare Workers: A Vehicle for DDoS Attacks and More
Cloudflare Workers, a powerful serverless platform designed for developers to deploy lightweight apps directly on Cloudflare’s network, is also being exploited for malicious purposes.
Legitimate uses of Workers include API deployment, content optimization, and even custom firewall solutions. However, Fortra’s investigations have uncovered a surge in abuse, including DDoS attacks, phishing site deployment, malicious script injection, and brute-force attacks targeting user credentials.
One particularly concerning case involves Cloudflare Workers being used to host human verification steps within phishing campaigns, adding a layer of legitimacy to the ruse.
"We have witnessed a 104% surge in phishing attacks on this platform, climbing from 2,447 incidents in 2023 to 4,999 incidents year-to-date," Fortra reports.
Source: Fortra
With an estimated 6,000 Workers-fueled phishing attacks expected by the end of 2024, an alarming 145% increase compared to last year, users must remain vigilant.
Source: Fortra
Protecting Yourself
Fortra emphasizes the importance of verifying URLs before entering sensitive information.
Activating two-factor authentication adds an extra layer of security to your accounts, making it harder for hackers to access your data even if they obtain your credentials.