FORTRA security analysts report that Cloudflare developer domains are being abused by threat actors for a variety of illicit and malicious purposes.
A recent investigation found a significant increase in attacks against Cloudflare Pages and Cloudflare Workers, two popular platforms used by developers for web deployment and serverless computing.
Abuse of Cloudflare services has increased dramatically, with phishing attacks targeting Cloudflare Pages increasing by 198% from 2023 to mid-October 2024.
Phishing campaign (Source – FORTRA)
Likewise, FORTRA analysts noted that Cloudflare Workers experienced a 104% spike in phishing incidents during the same period.
Cloudflare threat statistics (Source – FORTRA)
These statistics highlight the growing sophistication with which cybercriminals exploit trusted platforms.
Tactics and Techniques
Attackers are leveraging Cloudflare’s infrastructure to create convincing phishing sites and perform a variety of malicious activities:-
- Phishing redirects: Cybercriminals use Cloudflare Pages to host deceptive links that redirect victims to credential theft pages.
- Human verification pages: Attackers used Cloudflare Workers to deploy fake verification pages to add an extra layer of legitimacy to their phishing attempts.
- Email hiding: Using BCC folders in phishing campaigns helps mask the scale of the attack.
There are several factors that make the Cloudflare platform attractive to malicious actors:-
- Trusted reputation: Cloudflare’s strong brand recognition adds credibility to hosted content.
- Global CDN: Ensure fast loading of phishing websites across regions.
- Free and hassle-free hosting: Able to be deployed quickly with minimal resources.
- Automatic SSL/TLS: Adds a layer of perceived security to protect against malicious websites.
- Custom domains: Allows for more convincing URL masking.
Although Cloudflare implements various security measures, users and developers must remain vigilant:-
- Unknown websites that request sensitive information should be treated with caution.
- Verify URL validity before entering credentials.
- Enable two-factor authentication (2FA) for added security.
- Developers should regularly update dependencies and monitor for suspicious activity.
- Report phishing attempts to Cloudflare for investigation and removal.
As the cyber threat landscape evolves, it is critical for users and service providers to stay informed and proactively combat sophisticated attacks against trusted platforms.
