Cybersecurity analysts are raising alarms over phishing schemes that exploit Cloudflare Workers to serve credential-harvesting phishing sites targeting Microsoft, Gmail, Yahoo!, and cPanel Webmail users.
This tactic, dubbed transparent phishing or adversary-in-the-middle (AitM) phishing, “utilizes Cloudflare Workers as a reverse proxy for authentic login pages, intercepting the exchange between the victim and the login page to capture credentials, cookies, and tokens,” reported Netskope researcher Jan Michael Alcantara.
The bulk of phishing campaigns hosted on Cloudflare Workers over the last month have targeted individuals in Asia, North America, and Southern Europe, with a focus on technology, financial services, and banking sectors.
According to the cybersecurity firm, there was a notable increase in traffic to Cloudflare Workers-hosted phishing sites starting in Q2 2023, with a significant rise in distinct domains from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024.
These phishing campaigns employ a technique called HTML smuggling, which uses malicious JavaScript to construct the payload on the client side, circumventing security measures. This highlights the sophisticated methods threat actors use to deploy and execute attacks on targeted systems.
In this scenario, the malicious payload manifests as a phishing page, reconstructed and displayed in the victim’s web browser. The phishing page urges users to log in with Microsoft Outlook or Office 365 (now Microsoft 365) to view an ostensibly important PDF document. If the user complies, the fake sign-in pages hosted on Cloudflare Workers capture their credentials and multi-factor authentication (MFA) codes.
“The entire phishing page is crafted using a modified version of an open-source Cloudflare AitM toolkit,” Alcantara noted. “When the victim interacts with the attacker’s login page, the attacker captures the web request metadata.”
“Once the victim inputs their credentials, they are logged into the legitimate site, and the attacker harvests tokens and cookies from the response. Additionally, the attacker can monitor any subsequent activity performed by the victim post-login.”
HTML smuggling is increasingly favored by attackers aiming to bypass modern defenses, enabling the delivery of fraudulent HTML pages and other malware without triggering alarms.
Huntress Labs highlighted an instance where a fake HTML file injected an iframe of the legitimate Microsoft authentication portal from an actor-controlled domain.
“This is characteristic of an MFA-bypass AitM transparent proxy phishing attack, but it employs an HTML smuggling payload with an injected iframe rather than a simple link,” explained security researcher Matt Kiely.
Another notable campaign involves invoice-themed phishing emails with HTML attachments masquerading as PDF viewer login pages to steal users’ email credentials, subsequently redirecting them to a URL hosting the purported “proof of payment.”
Email-based phishing attacks have evolved, employing phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and bypass MFA using the AitM method, incorporating QR codes in PDF files and CAPTCHA checks before leading victims to the fake login page.
Top targets for the Greatness PhaaS include financial services, manufacturing, energy/utilities, retail, and consulting sectors in the U.S., Canada, Germany, South Korea, and Norway.
“These services offer advanced features that attract attackers by reducing the time needed for development and evasion tactics,” stated Trellix researchers Daksh Kapur, Vihar Shah, and Pooja Khyadgi in a recent analysis.
Meanwhile, cyber adversaries continue innovating to outsmart security systems, using generative artificial intelligence (GenAI) to create convincing phishing emails and delivering oversized malware payloads (exceeding 100 MB) to evade analysis.
“Scanning large files demands more resources, which can degrade system performance during the process,” noted the cybersecurity firm. “To mitigate heavy memory usage, some antivirus engines set size limits for scanning, allowing oversized files to bypass detection.”
The file inflation tactic has been employed to deliver additional malware, such as Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT, the firm added.
Moreover, the adversarial use of GenAI for exploit development and deepfake generation by various threat actors emphasizes the need for stringent security measures, ethical standards, and oversight mechanisms.
Innovative methods to bypass traditional detection mechanisms have extended to campaigns like TrkCdn, SpamTracker, and SecShow, leveraging Domain Name System (DNS) tunneling to monitor when targets open phishing emails and click on malicious links, track spam delivery, and scan victim networks for vulnerabilities.
“The DNS tunneling technique used in the TrkCdn campaign is designed to track a victim’s interaction with email content,” reported Palo Alto Networks Unit 42. Attackers embed content in the email that, upon opening, performs a DNS query to attacker-controlled subdomains.
“[SpamTracker] uses emails and website links to deliver spam and phishing content. The campaign aims to lure victims into clicking links, behind which threat actors hide their payload in subdomains.”
This surge in phishing and malvertising campaigns, leveraging malicious ads for popular software in search engine results to trick users into installing information stealers and remote access trojans like SectopRAT (aka ArechClient), is also noteworthy.
Furthermore, bad actors have been setting up counterfeit pages mimicking financial institutions like Barclays, delivering legitimate remote desktop software like AnyDesk under the pretense of offering live chat support, thereby gaining remote access to victims’ systems.
“It’s crucial to be extremely cautious with sponsored results,” advised Malwarebytes’ Jerome Segura. “Often, there’s no easy way to tell if an ad is legitimate. Criminals can create malicious installers that evade detection and lead to compromise through a series of steps.”