JAMStack platform, Cloudflare Pages, misused to launch phishing campaigns to target Indian banking customers.
PII details & banking credentials compromised.
Loss of revenue and reputation of the brands being impersonated.
PII can be exploited to conduct banking frauds and other social engineering attacks.
Identify and report fake domains.
Create an inclusive awareness campaign for customers to educate them about the organization’s processes.
Analysis and Attribution
CloudSEK’s contextual AI digital risk monitoring platform XVigil uncovered yet another improvised modus operandi used by threat actors to target banking customers in India through a phishing campaign.
Previously, CloudSEK researchers discovered a method where cybercriminals exploited reverse tunnel services and URL shorteners to launch large-scale phishing campaigns.
In this new modus operandi, threat actors are misusing another service, i.e Cloudflare Pages (a JAMStack platform) to target Indian banking customers.
The threat actors are using the smishing technique to distribute phishing websites via SMS or pretexting
The message templates are designed in a way to create a sense of panic.
The messages contain a shortened URL that redirects to a phishing website and look like: <bankname>.pages.dev. pages.dev is a subdomain provided by the Cloudflare Pages.
The malicious actor needs to sign up with Cloudflare Pages and any of the Git services (such as GitHub, GitLab, etc) to start the process of phishing.
The cloned website of the target entity is hosted, and after a few clicks, the phishing website is ready with a customized subdomain of the domain pages.dev.
How Cloudflare Pages Work
Cloudflare Pages is a JAMStack platform for front-end developers to collaborate and deploy dynamic front-end applications.
After signing up and verifying using an email ID, the user can get started.
There are three ways to set up a Pages Project:
Connecting the existing Git Provider (i.e. GitHub, GitLab, etc) to Cloudflare Pages
Deploying pre-built assets directly to Cloudflare Pages using direct uploads
The Cloudflare Pages feature is free to use for 500 builds per month. They also have Pro and Business plans available at USD 20 and USD 200 per month, respectively.