{"id":7953,"date":"2024-06-12T06:24:45","date_gmt":"2024-06-12T06:24:45","guid":{"rendered":"\/cybersecurity-blog\/?p=7953"},"modified":"2024-08-06T08:20:49","modified_gmt":"2024-08-06T08:20:49","slug":"cloudflare-phishing-campaign","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/cloudflare-phishing-campaign\/","title":{"rendered":"Cybercriminals Exploit Cloudflare Workers and HTML Smuggling in New Phishing Campaign\u00a0"},"content":{"rendered":"\n

<\/p>\n\n\n\n

Researchers warn<\/a> about a new wave of phishing attacks.  <\/p>\n\n\n\n

The attacks exploit Cloudflare Workers and HTML smuggling to steal user credentials from Microsoft, Gmail, Yahoo!, and cPanel Webmail. <\/p>\n\n\n\n

What’s happening? <\/h2>\n\n\n\n

Threat actors are using Cloudflare Workers to act as reverse proxy servers for legitimate login pages, intercepting traffic between victims and the login pages. The aim is to capture credentials, cookies, and tokens.  <\/p>\n\n\n\n

Users in Asia, North America, and Southern Europe are targeted. <\/p>\n\n\n\n

Breaking down the attack chain <\/h2>\n\n\n\n

The phishing campaigns use a unique approach where the malicious payload is a phishing page itself, reconstructed and presented to the user in their web browser.   <\/p>\n\n\n\n

This phishing page prompts the victim to sign in with their Microsoft Outlook or Microsoft 365 account, claiming that they need to do so to view a supposed PDF document. <\/p>\n\n\n\n

If the victim falls for the trick and enters their credentials, they are redirected to fake sign-in pages hosted on Cloudflare Workers. These pages are designed to harvest not only the victim’s login information but also their MFA codes. <\/p>\n\n\n\n

The entire phishing page is built using a modified version of an open-source Cloudflare Adversary in the Middle (AitM) toolkit. <\/p>\n\n\n\n

When the victim visits the spoofed login page, the attacker collects the web request metadata. They then redirect the victim, who logs in to the legitimate site, and the attacker collects tokens and cookies from the response.   <\/p>\n\n\n\n

This allows the attacker to track what the victim does after they log in. <\/p>\n\n\n\n

What is HTML smuggling? <\/h2>\n\n\n\n

HTML smuggling, used in this campaign, is a payload delivery mechanism that has gained traction in recent years. Hackers use this technique to “smuggle” malicious code behind firewalls without triggering security alerts.   <\/p>\n\n\n\n

Here’s how it works: <\/strong><\/p>\n\n\n\n

    \n
  1. The attacker first encodes malicious script within an HTML document. <\/li>\n<\/ol>\n\n\n\n
      \n
    1. When a user opens the page in their web browser, the browser decodes the malicious script. <\/li>\n<\/ol>\n\n\n\n
        \n
      1. The script then assembles the payload on the user’s device. <\/li>\n<\/ol>\n\n\n\n

        In practice, this means that the malicious executable doesn’t have to pass through a firewall \u2014 instead, the attacker builds the malware locally on the target system.  <\/p>\n\n\n\n

        In this campaign, the attackers use HTML smuggling in a creative way \u2014 to build the actual phishing page on the user’s device. <\/p>\n\n\n\n

        New phishing tactics? <\/h2>\n\n\n\n

        The phishing campaigns, in general, are becoming more sophisticated, researchers warn. Many employ an array of well-known and new phishing tools: <\/p>\n\n\n\n