New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI
Summary:
Researchers have raised alarms about sophisticated phishing campaigns leveraging Cloudflare Workers to deploy phishing sites aimed at harvesting credentials from multiple organizations users. These campaigns utilize a method called transparent phishing or adversary-in-the-middle phishing. This technique involves using Cloudflare Workers as a reverse proxy to legitimate login pages, intercepting traffic to capture login credentials, cookies, and tokens.
Over the past 30 days, these phishing campaigns have primarily targeted victims in Asia, North America, and Southern Europe, spanning the technology, financial services, and banking sectors. Researchers have observed a significant increase in traffic to Cloudflare Workers-hosted phishing pages starting in Q2 2023, with the number of distinct domains involved rising from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024. A key tactic used in these campaigns is HTML smuggling, which involves using malicious JavaScript to assemble payloads on the client side. This method allows the phishing page to be constructed and displayed within the user’s browsers. Victims are often lured to sign in with Microsoft Outlook or Office 365 credentials to view a supposed PDF document. The phishing page, hosted on Cloudflare Workers, captures their credentials and MFA codes. The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit. When the victim enters their credentials, the attacker collects the web request metadata, tokens, and cookies, and can monitor further user activity post-login.
Security Officer Comments:
HTML smuggling is increasingly favored by threat actors to bypass modern defenses, enabling the delivery of fraudulent HTML pages and other malware. In some cases, a fake HTML file injects an iframe of the legitimate Microsoft authentication portal, retrieved from an attacker-controlled domain. This sophisticated strategy is designed to bypass MFA. Campaigns include invoice-themed phishing emails with HTML attachments masquerading as PDF viewer login pages, aiming to steal email account credentials and redirect victims to URLs hosting fake "proof of payment." Phishing-as-a-Service tools like Greatness are used to steal Microsoft 365 login credentials and bypass MFA. These attacks often incorporate QR codes within PDF files and CAPTCHA checks before redirecting to bogus login pages. Financial services, manufacturing, energy/utilities, retail, and consulting entities in the U.S., Canada, Germany, South Korea, and Norway are top targets.
Attackers deliver malware in oversized compressed files to evade antivirus scanning, leveraging the extended scan time and resource limitations of security software. Threat actors are also using generative artificial intelligence to craft highly effective phishing emails, enhancing their ability to deceive and compromise targets. Campaigns like TrkCdn and SpamTracker use DNS tunneling to monitor when targets open phishing emails and click on malicious links, track spam delivery, and scan victim networks for vulnerabilities. Malvertising campaigns exploit search engine results to trick users into installing information stealers and remote access trojans such as SectopRAT (aka ArechClient). Additionally, attackers set up counterfeit pages mimicking financial institutions like Barclays, using legitimate remote desktop software like AnyDesk to gain remote access to victim systems under the guise of offering live chat support.
Suggested Corrections:
IOCs:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Phishing/CloudflareWorkers/IOCs
Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams:
- Inspect all HTTP and HTTPS traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
- Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall in categories that can present higher risk, like Newly Observed and Newly Registered Domains.
Link(s):
https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html
https://www.netskope.com/blog/phish...rkers-transparent-phishing-and-html-smuggling