Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers

Summary

CloudSEK’s uncovered yet another improvised modus operandi used by threat actors to target banking customers in India through a phishing campaign.
 
Category: Adversary Intelligence Industry: Finance and Banking Motivation: Financial Region: India Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • JAMStack platform, Cloudflare Pages, misused to launch phishing campaigns to target Indian banking customers.
  • PII details & banking credentials compromised.
  • Loss of revenue and reputation of the brands being impersonated.
  • PII can be exploited to conduct banking frauds and other social engineering attacks.
  • Identify and report fake domains.
  • Create an inclusive awareness campaign for customers to educate them about the organization's processes.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk monitoring platform XVigil uncovered yet another improvised modus operandi used by threat actors to target banking customers in India through a phishing campaign.
  • Previously, CloudSEK researchers discovered a method where cybercriminals exploited reverse tunnel services and URL shorteners to launch large-scale phishing campaigns.
  • In this new modus operandi, threat actors are misusing another service, i.e Cloudflare Pages (a JAMStack platform) to target Indian banking customers.
Related Read Advanced Phishing Scams Target Individuals & Businesses in the Middle East

Modus Operandi

  • The threat actors are using the smishing technique to distribute phishing websites via SMS or pretexting
  • The message templates are designed in a way to create a sense of panic.
  • The messages contain a shortened URL that redirects to a phishing website and look like: <bankname>.pages.dev. pages.dev is a subdomain provided by the Cloudflare Pages.
  • The malicious actor needs to sign up with Cloudflare Pages and any of the Git services (such as GitHub, GitLab, etc) to start the process of phishing.
  • The cloned website of the target entity is hosted, and after a few clicks, the phishing website is ready with a customized subdomain of the domain pages.dev.

How Cloudflare Pages Work

  • Cloudflare Pages is a JAMStack platform for front-end developers to collaborate and deploy dynamic front-end applications.
  • After signing up and verifying using an email ID, the user can get started.
  • There are three ways to set up a Pages Project:
    • Connecting the existing Git Provider (i.e. GitHub, GitLab, etc) to Cloudflare Pages
    • Deploying pre-built assets directly to Cloudflare Pages using direct uploads
    • Using Wrangler to deploy any project
  • The Cloudflare Pages feature is free to use for 500 builds per month. They also have Pro and Business plans available at USD 20 and USD 200 per month, respectively.
Related Read Sophisticated Phishing Toolkit Dubbed “NakedPages” for Sale on Cybercrime Forums

Impact & Mitigation

Impact Mitigation
  • Data collected can be sold on the dark web for monetary gain.
  • Loss of revenue and reputation of the brands being impersonated.
  • The PII and card detail shared by the victims can be exploited to conduct:
    • Social engineering attacks
    • Banking frauds
    • Identity thefts
  • Identify and report domains impersonating brand names and trademarks.
  • Create an inclusive awareness campaign to educate customers about the organization’s processes.
  • Create awareness among customers regarding malicious URLs.

References

Appendix

Phishing URL distributed via Smishing
Phishing URLs distributed via Smishing
 
Verified dashboard of Cloudflare Pages
Verified dashboard of Cloudflare Pages
 
Plans for Cloudflare Pages
Plans for Cloudflare Pages
Screenshot of a phishing domain targeting a popular Indian Bank
Screenshot of a phishing domain targeting a popular Indian Bank
 

Table of Contents

Request an easy and customized demo for free