Category: Adversary Intelligence	Industry: Finance and Banking	Motivation: Financial	Region: India	Source*: A1

Executive Summary

THREAT	IMPACT	MITIGATION
JAMStack platform, Cloudflare Pages, misused to launch phishing campaigns to target Indian banking customers. PII details & banking credentials compromised.	Loss of revenue and reputation of the brands being impersonated. PII can be exploited to conduct banking frauds and other social engineering attacks.	Identify and report fake domains. Create an inclusive awareness campaign for customers to educate them about the organization's processes.

Analysis and Attribution

• CloudSEK’s contextual AI digital risk monitoring platform XVigil uncovered yet another improvised modus operandi used by threat actors to target banking customers in India through a phishing campaign.
• Previously, CloudSEK researchers discovered a method where cybercriminals exploited reverse tunnel services and URL shorteners to launch large-scale phishing campaigns.
• In this new modus operandi, threat actors are misusing another service, i.e Cloudflare Pages (a JAMStack platform) to target Indian banking customers.

Related Read Advanced Phishing Scams Target Individuals & Businesses in the Middle East

Modus Operandi

• The threat actors are using the smishing technique to distribute phishing websites via SMS or pretexting
• The message templates are designed in a way to create a sense of panic.
• The messages contain a shortened URL that redirects to a phishing website and look like: <bankname>.pages.dev. pages.dev is a subdomain provided by the Cloudflare Pages.
• The malicious actor needs to sign up with Cloudflare Pages and any of the Git services (such as GitHub, GitLab, etc) to start the process of phishing.
• The cloned website of the target entity is hosted, and after a few clicks, the phishing website is ready with a customized subdomain of the domain pages.dev.

How Cloudflare Pages Work

• Cloudflare Pages is a JAMStack platform for front-end developers to collaborate and deploy dynamic front-end applications.
• After signing up and verifying using an email ID, the user can get started.
• There are three ways to set up a Pages Project:
  • Connecting the existing Git Provider (i.e. GitHub, GitLab, etc) to Cloudflare Pages
  • Deploying pre-built assets directly to Cloudflare Pages using direct uploads
  • Using Wrangler to deploy any project
• The Cloudflare Pages feature is free to use for 500 builds per month. They also have Pro and Business plans available at USD 20 and USD 200 per month, respectively.

Related Read Sophisticated Phishing Toolkit Dubbed “NakedPages” for Sale on Cybercrime Forums

Impact & Mitigation

Impact	Mitigation
Data collected can be sold on the dark web for monetary gain. Loss of revenue and reputation of the brands being impersonated. The PII and card detail shared by the victims can be exploited to conduct: Social engineering attacks Banking frauds Identity thefts	Identify and report domains impersonating brand names and trademarks. Create an inclusive awareness campaign to educate customers about the organization’s processes. Create awareness among customers regarding malicious URLs.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• Get started · Cloudflare Pages docs

Appendix

[caption id="attachment_20530" align="aligncenter" width="609"] Phishing URLs distributed via Smishing[/caption]   [caption id="attachment_20531" align="aligncenter" width="1908"] Verified dashboard of Cloudflare Pages[/caption]   [caption id="attachment_20532" align="aligncenter" width="1429"] Plans for Cloudflare Pages[/caption] [caption id="attachment_20534" align="aligncenter" width="1024"] Screenshot of a phishing domain targeting a popular Indian Bank[/caption]