Phishing Playbook

Cybersecurity researchers are alerting of phishing campaigns that abuse Cloudflare Workers to serve phishing sites that are used to harvest users' credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail.

The attack method, called transparent phishing or adversary-in-the-middle (AitM) phishing, "uses Cloudflare Workers to act as a reverse proxy server for a legitimate login page, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens," Netskope researcher Jan Michael Alcantara said in a report.

A majority of phishing campaigns hosted on Cloudflare Workers over the past 30 days have targeted victims in Asia, North America, and Southern Europe, spanning technology, financial services, and banking sectors.

The cybersecurity firm said that an increase in traffic to Cloudflare Workers-hosted phishing pages was first registered in Q2 2023, noting it observed a spike in the total number of distinct domains, jumping from a little over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024.

The phishing campaigns make use of a technique called HTML smuggling, which involves using malicious JavaScript to assemble the malicious payload on the client side to evade security protections. It also serves to highlight the sophisticated strategies threat actors are using to deploy and execute attacks on targeted systems.

What's different in this case is that the malicious payload is a phishing page, which is reconstructed and displayed to the user on a web browser

Cybersecurity

The phishing page, for its part, urges the victim to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. Should they follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes.

"The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit," Michael Alcantara said. "Once the victim accesses the attacker's login page, the attacker collects its web request metadata."

"Once the victim enters their credentials, they will be logged in to the legitimate website, and the attacker will collect the tokens and cookies in the response. Furthermore, the attacker will also have visibility into any additional activity the victim performs after login."

HTML smuggling as a payload delivery mechanism is being increasingly favored by threat actors who wish to bypass modern defenses, making it possible to serve fraudulent HTML pages and other malware without raising any red flags.

In one instance highlighted by Huntress Labs, the fake HTML file is used to inject an iframe of the legitimate Microsoft authentication portal that's retrieved from an actor-controlled domain.

"This has the hallmarks of an MFA-bypass adversary-in-the-middle transparent proxy phishing attack, but uses an HTML smuggling payload with an injected iframe instead of a simple link," security researcher Matt Kiely said.

Another campaign that has attracted attention involves invoice-themed phishing emails containing HTML attachments that masquerade as PDF viewer login pages to steal users' email account credentials, before redirecting them to a URL hosting the so-called "proof of payment."

In recent years, email-based phishing attacks have taken various forms, including leveraging phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and circumvent MFA using the AitM technique, with attackers incorporating QR codes within PDF files and utilizing CAPTCHA checks before redirecting victims to the bogus login page.

Financial services, manufacturing, energy/utilities, retail, and consulting entities located in the U.S., Canada, Germany, South Korea, and Norway have emerged as the top sectors targeted by the Greatness PhaaS.

"These services offer advanced capabilities that appeal to attackers by saving them time on development and evasion tactics," Trellix researchers Daksh Kapur, Vihar Shah, and Pooja Khyadgi said in an analysis published last week.

The development comes as threat actors are constantly finding new ways to outsmart security systems and propagate malware by resorting to generative artificial intelligence (GenAI) to craft effective phishing emails and delivering compressed file attachments containing overly large malware payloads (more than 100 MB in size) in hopes of evading analysis.

"Scanning larger files takes more time and resources, which can slow down the overall system performance during the scan process," the cybersecurity firm said. "To minimize heavy memory footprint, some antivirus engines may set size limits for scanning, leading to oversized files being skipped."

Cybersecurity

The file inflation method has been observed as an attack ploy to deliver additional malware, such as Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT, it added.

What's more, the adversarial use of GenAI for exploit development and deepfake generation by various threat actors underscores the need for robust security measures, ethical guidelines, and oversight mechanisms.

The use of innovative approaches to bypass traditional detection mechanisms have also extended to campaigns like TrkCdn, SpamTracker, and SecShow that are leveraging Domain Name System (DNS) tunneling to monitor when their targets open phishing emails and click on malicious links, track spam delivery, as well as to scan victim networks for potential vulnerabilities.

"The DNS tunneling technique used in the TrkCdn campaign is meant to track a victim's interaction with its email content," Palo Alto Networks Unit 42 said in a report published earlier this month, adding the attackers embed content in the email that, when opened, performs a DNS query to attacker-controlled subdomains.

"[SpamTracker] employs emails and website links to deliver spam and phishing content. The intent of the campaign is to lure victims to click on the links behind which threat actors have concealed their payload in the subdomains."

The findings also come amid a surge in malvertising campaigns that take advantage of malicious ads for popular software on search engine results to trick users into installing information stealers and remote access trojans such as SectopRAT (aka ArechClient).

On top of that, bad actors have been observed setting up counterfeit pages mimicking financial institutions like Barclays that deliver legitimate remote desktop software like AnyDesk under the guise of offering live chat support, granting them remote access to the systems in the process.

"It is more important than ever to be extremely cautious when it comes to sponsored results," Malwarebytes' Jerome Segura said. "Oftentimes, there is no easy way to determine whether an ad is legitimate or not. Criminals are able to create malicious installers that can evade detection and lead to compromise via a series of steps."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.