The rise of phishing campaigns on Cloudflare’s Pages.dev and Workers.dev platforms

A recent study by cybersecurity firm, Fortra, has revealed that Cloudflare’s Pages.dev and Workers.dev platforms are increasingly being abused by cybercriminals to host phishing attacks.

These platforms, intended to help developers build websites and deploy serverless applications, have become an attractive option for attackers.

Leveraging Cloudflare’s trusted branding, global infrastructure, and free hosting capabilities, threat actors can create convincing phishing campaigns to deceive users and steal sensitive information.

This article explores how these platforms are exploited, the tactics used in phishing campaigns, the alarming rise in attack volumes, and how you can protect yourself and your systems.

Why Are Cloudflare Platforms Targeted?

Cloudflare Pages.dev provides free and easy-to-use web hosting, while Workers.dev is a serverless computing platform designed to execute code closer to the end user.

These services are appealing to attackers for several reasons:

1. Reputation and Trust:
   Cloudflare is a well-known and trusted provider. Phishing sites hosted on Cloudflare infrastructure inherit this trust, making them harder to detect. Victims often assume such sites are safe because they are backed by a recognizable name.
2. Global Reach and Speed:
   Cloudflare’s global CDN ensures that phishing pages load quickly and reliably across different regions. Attackers benefit from these same performance improvements, ensuring their fraudulent campaigns run efficiently.
3. Automatic SSL/TLS Encryption:
   Pages.dev and Workers.dev automatically enable SSL/TLS encryption, providing phishing sites with the padlock icon and HTTPS designation. Many users mistakenly interpret these features as a guarantee of site safety.
4. Ease of Use:
   Cloudflare’s platforms allow attackers to deploy phishing campaigns with minimal resources or technical expertise. Free hosting and built-in features lower the barrier to entry for cybercriminals.
5. URL Masking and Custom Domains:
   Custom domains and URL masking options enable attackers to disguise malicious links effectively. Combined with Cloudflare’s reverse proxying, this makes tracing the source of malicious content difficult for security teams.

How Cybercriminals Abuse Pages.dev

Phishing redirects are among the most common threats hosted on Pages.dev. These redirects help attackers avoid detection and improve the success rates of their campaigns.

Also Read: Kenya’s Micro and Small Enterprise Authority hacked

A typical phishing email like the one shown below might request that a recipient review or download a document.

Clicking the link takes the victim to what appears to be a legitimate Microsoft OneDrive page.

The attacker uses this familiar interface to convince the victim to download a fraudulent document, which leads to another phishing redirect.

Upon clicking the “Open” button on the fraudulent OneDrive page, the victim is taken to a Cloudflare Pages URL, which then redirects to a Microsoft Office365 credential theft page.

Here, the victim’s credentials are harvested. These credentials can then be used for:

• Data breaches.
• Business email compromise (BEC).
• Malware deployment.
• Lateral movements within an organization.
• Privilege escalation.

Another tactic is the use of bccfoldering for email distribution. Attackers use the BCC field to hide recipient lists, making it difficult for security tools to identify the scale of the campaign.

The Role of Workers.dev in Phishing Attacks

Cloudflare Workers enables attackers to deploy JavaScript at the edge of Cloudflare’s CDN, running code directly on users’ devices.

Also Read: Essential online security tips for Black Friday and Cyber Monday

While designed for legitimate use cases like improving web application performance, this platform has also been exploited for:

• Malicious redirects.
• Phishing sites.
• Distributed Denial of Service (DDoS) attacks.
• Exfiltration of sensitive user data.
• Brute-force login attempts.
• Injection of harmful scripts.

In one observed campaign, Workers.dev was used to create a fake human verification page.

This page mimicked a CAPTCHA system, adding a layer of perceived legitimacy to the phishing attempt.

Victims were then redirected to a Microsoft Office365 phishing page, where they were prompted to enter sensitive information.

Attackers rely on the familiarity of security measures like CAPTCHAs to lower users’ defenses. As a result, victims are more likely to enter credentials without suspicion.

The Alarming Rise in Phishing Attacks

The volume of phishing attacks targeting Cloudflare Pages.dev and Workers.dev has surged dramatically in recent years, reflecting a worrying trend in the misuse of these platforms.

According to Fortra’s Suspicious Email Analysis (SEA) team, phishing incidents on Pages.dev have risen by 198% between 2023 and 2024. In 2023, there were 460 reported incidents.

By mid-October 2024, this number had grown to 1,370, with an average of 137 incidents occurring each month.

If this trend continues, the total number of attacks is expected to exceed 1,600 by the end of 2024, representing a projected year-over-year increase of 257%.

Similarly, phishing attacks exploiting Workers.dev have also increased significantly. In 2023, there were 2,447 incidents.

This number jumped to 4,999 incidents as of mid-October 2024, marking a 104% rise.

With an average of 499 incidents reported monthly, the total number of Workers.dev attacks is projected to reach nearly 6,000 by year-end, reflecting a 145% increase compared to the previous year.

These statistics highlight a troubling growth in cybercriminal activity on Cloudflare’s platforms, as attackers continue to exploit the ease of use, global reach, and reputation of these services to carry out their malicious campaigns.

Cloudflare’s Response to Abuse

Cloudflare has implemented several security measures, including:

• Phishing detection systems.
• User reporting mechanisms.
• Takedown processes for malicious content.

However, these measures are not foolproof. Attackers often exploit the platforms faster than threats can be detected and mitigated.

The technology itself is not flawed, but its misuse highlights the constant need for vigilance and adaptation in cybersecurity practices.

Protecting Yourself Against Phishing Attacks

You can take several steps to safeguard against phishing campaigns:

1. Verify URLs:
   Before clicking a link, hover over it to check the actual destination. Look for mismatches between the displayed link and the destination URL.
2. Be Wary of Unsolicited Emails:
   Treat emails requesting sensitive information with caution, especially if they include links or attachments.
3. Enable Two-Factor Authentication (2FA):
   Adding 2FA to your accounts provides an extra layer of security, even if your credentials are compromised.
4. Stay Informed:
   Familiarize yourself with common phishing tactics to recognize red flags.
5. Report Suspicious Activity:
   If you suspect phishing, report it to Cloudflare or other relevant authorities to aid in the takedown of malicious sites.

For developers using Cloudflare Pages and Workers, security best practices include:

• Regularly updating site dependencies.
• Using HTTPS for all connections.
• Monitoring for unusual activity.

Final Thoughts

The surge in phishing attacks abusing Cloudflare Pages.dev and Workers.dev reflects cybercriminals’ ability to exploit even the most trusted platforms.

While Cloudflare is not to blame for the abuse, its widespread adoption and robust infrastructure make it a valuable tool for attackers.

As phishing campaigns become more sophisticated, your vigilance and proactive measures are your best defense against these evolving threats.

Stay cautious, scrutinize links, and report malicious activity to help curb this growing trend.