Phishing efforts that exploit Cloudflare Workers to deliver phishing sites have caught the attention of cybersecurity researchers. These sites are used to collect users’ credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail.

The attack method, known as adversary-in-the-middle (AitM) phishing or transparent phishing, “uses Cloudflare Workers to act as a reverse proxy server for a legitimate login page, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens,” according to a report by Jan Michael Alcantara, a researcher at Netskope.

You might be interested in: Urgent update of Google Chrome to fix vulnerability.

Over the past thirty days, the majority of phishing attacks hosted on Cloudflare Workers have targeted victims in Asia, North America, and Southern Europe, particularly in the banking, financial services, and technology sectors.

According to the cybersecurity firm, a surge in traffic to phishing pages hosted by Cloudflare Workers was first noted in the second quarter of 2023. The firm also observed a spike in the number of different domains, which reached nearly 1,300 in the first quarter of 2024, up from just over 1,000 in the fourth quarter of 2023.

Phishing tactics also involve a method known as HTML smuggling, which uses malicious JavaScript to construct the harmful payload on the client side to circumvent security measures. This method also highlights the complex techniques that threat actors are employing to launch and execute attacks on targeted systems.

In this particular instance, the malicious payload is a phishing page, which is reassembled and presented to the victim in a web browser. This is a significant departure from other methods.

The phishing page prompts the victim to sign in with Microsoft Outlook or Office 365 (formerly known as Microsoft 365) to view a document purported to be a PDF. Bogus sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes if they proceed with the action.

“The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit,” explained Michael Alcantara to reporters. “Once the victim accesses the attacker’s login page, the attacker collects the web request metadata.”

“After the victim enters their credentials, they are logged into the real website, and the attacker captures the tokens and cookies from the legitimate website’s response. Additionally, the attacker will be able to observe any subsequent actions the victim takes,” Alcantara added.

HTML smuggling is becoming increasingly popular among threat actors who aim to circumvent modern defenses. This method allows them to deliver fake HTML pages and other forms of malware without triggering alarms or warnings.

In one instance highlighted by Huntress Labs, a fake HTML file was used to inject an iframe of the authentic Microsoft login gateway, retrieved from a domain controlled by the attacker.

“This resembles an MFA-bypass adversary-in-the-middle transparent proxy phishing attack but utilizes an HTML smuggling payload with an injected iframe instead of a simple link,” stated security researcher Matt Kiely in an interview.

Invoice-themed phishing emails that contain HTML attachments that masquerade as PDF viewer login pages are another campaign that has garnered notice. The purpose of these emails is to capture the email account credentials of users, and then redirect them to a URL that hosts the so-called “proof of payment.”

In recent years, email-based phishing attacks have taken on a variety of forms. One of these forms is the utilization of phishing-as-a-service (PhaaS) toolkits such as Greatness to steal login credentials for Microsoft 365 and to circumvent multi-factor authentication (MFA) by employing the AitM technique. Additionally, attackers have incorporated QR codes within PDF files and utilized CAPTCHA checks before redirecting victims to a fake login page.

It has become clear that the Greatness PhaaS is primarily focused on the following industries: financial services, manufacturing, energy/utilities, retail, and consultancy businesses situated in the United States of America, Canada, Germany, South Korea, and Norway.

“These services offer advanced capabilities that appeal to attackers by saving them time on development and evasion tactics,” Trellix researchers Daksh Kapur, Vihar Shah, and Pooja Khyadgi noted in a report that was published the previous week by Trellix.

When threat actors are constantly finding new ways to outsmart security systems and spread malware, they are resorting to generative artificial intelligence (GenAI) to craft effective phishing emails and deliver compressed file attachments that contain overly large malware payloads (more than 100 MB in size) in the hopes of evading analysis. This new development arrives at a time when threat actors are constantly finding new ways to outsmart security systems.

“Scanning larger files takes more time and resources, which can slow down the overall system performance during the scan process,” the cybersecurity company stated in its announcement. “To minimize heavy memory footprint, some antivirus engines may set size limits for scanning, leading to oversized files being skipped.”

The method of file inflation has been discovered to be used as an attack stratagem to deliver other malware, including Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT, according to the report.

Furthermore, the adversarial usage of GenAI by a variety of threat actors for the purpose of exploit development and deepfake production highlights the necessity of solid security safeguards, ethical principles, and monitoring mechanisms.

In addition, these innovations to circumvent conventional detection mechanisms have been extended to campaigns such as TrkCdn, SpamTracker, and SecShow. These campaigns are utilizing Domain Name System (DNS) tunneling in order to monitor when their targets open phishing emails and click on malicious links, track the delivery of spam, and scan victim networks for potential vulnerabilities.

“The DNS tunneling technique used in the TrkCdn campaign is meant to track a victim’s interaction with its email content,” Palo Alto Networks Unit 42 stated in a report that was published earlier this month. The report also stated that the attackers embed content in the email that, when opened, performs a DNS query to subdomains that are controlled by the attackers.

The delivery of spam and phishing content is accomplished through the use of emails and website links by [SpamTracker]. The purpose of the campaign is to entice victims to click on the links that threat actors have employed in order to conceal their payload within the subdomains.

The findings also come at a time when there has been an increase in the number of malvertising efforts designed to fool users into installing information stealers and remote access trojans like SectopRAT (also known as ArechClient). These campaigns take use of harmful advertisements for popular applications that appear on search engine results pages.

In addition to this, it has been discovered that malicious actors have created fake websites that imitate the appearance of financial institutions such as Barclays. These fake websites supply legal remote desktop software such as AnyDesk under the premise of providing live chat support, which in turn grants them remote access to the systems.

According to Jerome Segura, who works at Malwarebytes, “it is more important than ever before to be extremely cautious when it comes to sponsored results.” Many times, there is no simple method that can be used to determine whether or not an advertisement is real. There is a set of actions that criminals can take in order to construct malicious installers that are able to avoid detection and ultimately lead to compromise.