3 min Security

Explosive growth in phishing via Cloudflare Pages and Workers

Explosive growth in phishing via Cloudflare Pages and Workers

Cybercriminals are increasingly abusing Cloudflare’s “pages.dev” and “workers.dev” domains, which developers use to host Web pages. Criminals are using these domains for phishing and other malicious activities.

This is according to reporting by BleepingComputer. Cybersecurity firm Fortra reports that the misuse of these domains increased by 100% to 250% from 2023. Researchers suspect criminals use these domains to make their campaigns more reliable and effective. They take advantage of Cloudflare’s trusted reputation, reliable service, low usage costs, and reverse proxy capabilities, which make detection difficult.

Misuse of Cloudflare Pages

Cloudflare Pages provides front-end developers with a platform to build, deploy, and host fast and scalable websites through Cloudflare’s global Content Delivery Network (CDN). The platform supports modern web application frameworks and provides standard SSL/TLS encryption for secure HTTPS connections without additional configuration.

Hosting phishing pages

Fortra signals that cybercriminals use Cloudflare Pages to host phishing pages that redirect victims to malicious sites. Consider fake login pages for Microsoft Office 365. These pages reach victims through links in fraudulent PDF files or phishing emails. Thanks to Cloudflare’s good reputation, these links often go undetected by security software.

Fortra’s SEA team reports a 198% increase in phishing attacks on Cloudflare Pages, seeing the number of incidents increase from 460 in 2023 to 1,370 in mid-October 2024. On average, researchers note about 137 incidents per month. “The total volume of attacks is expected to surpass 1,600 by year-end, representing a projected year-over-year increase of 257%.”

Additionally, threat actors are seen using “bccfoldering” to hide the size of their e-mail campaigns. Unlike the cc field, which shows recipients, bccfoldering hides recipients by adding them only to the email envelope, not the headers. This makes it more difficult to detect the scale of the phishing campaign.

Misuse of Cloudflare Workers

Cloudflare Workers is a computing platform that allows developers to deploy applications and scripts directly on Cloudflare’s edge network. This platform supports applications such as APIs, content optimization, custom firewalls, task automation, and microservices.

Clearly, criminals are abusing Cloudflare Workers for DDoS attacks, phishing pages, injecting malicious scripts into browsers, and brute-force attacks on accounts.

Researchers signal that criminals are using Cloudflare Workers to add a human verification step to phishing processes, thereby enhancing their legitimacy.

One notes a 104% increase in phishing attacks on the platform, from 2,447 incidents in 2023 to 4,999 incidents in 2024. This amounts to an average of 499 incidents per month. The number of incidents is expected to reach nearly 6,000 this year, up 145% from last year.

Protection against abuse

Users can protect themselves by verifying that a URL is legitimate before entering sensitive information. Additional security steps, such as two-factor authentication, reduce the likelihood of account takeovers even if login credentials are stolen.