New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI

New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI

May 27, 2024 at 06:06AM

Researchers have identified phishing campaigns abusing Cloudflare Workers to serve phishing sites targeting Microsoft, Gmail, Yahoo!, and cPanel Webmail users. The phishing method, called transparent phishing, utilizes Cloudflare Workers as a reverse proxy server. The attacks predominantly target Asia, North America, and Southern Europe, using HTML smuggling to deploy the malicious payload and bypass security measures.

Based on the meeting notes, here are the key takeaways:

1. Cybersecurity researchers have identified phishing campaigns abusing Cloudflare Workers to serve phishing sites targeting the credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail.

2. The attack method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, uses Cloudflare Workers to act as a reverse proxy server for legitimate login pages, intercepting traffic to capture credentials, cookies, and tokens.

3. Phishing campaigns hosted on Cloudflare Workers have targeted victims in Asia, North America, and Southern Europe, with a majority focused on technology, financial services, and banking sectors.

4. The increase in traffic to Cloudflare Workers-hosted phishing pages was first observed in Q2 2023, with a spike in the total number of distinct domains from over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024.

5. Threat actors deploy HTML smuggling techniques to assemble malicious payloads on the client side and evade security protections, highlighting the sophisticated strategies being used in attacks.

6. The phishing campaigns utilize a modified version of an open-source Cloudflare AitM toolkit to host fake sign-in pages and harvest credentials and multi-factor authentication (MFA) codes.

7. A particular campaign involves invoice-themed phishing emails containing HTML attachments masquerading as PDF viewer login pages to steal email account credentials.

8. Phishing-as-a-service (PhaaS) toolkits like Greatness are used to steal Microsoft 365 login credentials, circumvent MFA, and target sectors such as financial services, manufacturing, energy/utilities, retail, and consulting.

9. Threat actors are leveraging generative artificial intelligence (GenAI) to craft phishing emails and deliver compressed file attachments containing large malware payloads to evade analysis.

10. Innovations to bypass traditional detection mechanisms include the use of DNS tunneling and malvertising campaigns targeting popular software on search engine results.

These are the main points distilled from the meeting notes. Let me know if there are specific actions or further details you’d like me to provide.

Full Article