Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers

CloudSEK’s uncovered yet another improvised modus operandi used by threat actors to target banking customers in India through a phishing campaign.
Updated on
April 19, 2023
Published on
September 2, 2022
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Finance and Banking Motivation: Financial Region: India Source*: A1

Executive Summary

  • JAMStack platform, Cloudflare Pages, misused to launch phishing campaigns to target Indian banking customers.
  • PII details & banking credentials compromised.
  • Loss of revenue and reputation of the brands being impersonated.
  • PII can be exploited to conduct banking frauds and other social engineering attacks.
  • Identify and report fake domains.
  • Create an inclusive awareness campaign for customers to educate them about the organization's processes.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk monitoring platform XVigil uncovered yet another improvised modus operandi used by threat actors to target banking customers in India through a phishing campaign.
  • Previously, CloudSEK researchers discovered a method where cybercriminals exploited reverse tunnel services and URL shorteners to launch large-scale phishing campaigns.
  • In this new modus operandi, threat actors are misusing another service, i.e Cloudflare Pages (a JAMStack platform) to target Indian banking customers.
Related Read Advanced Phishing Scams Target Individuals & Businesses in the Middle East

Modus Operandi

  • The threat actors are using the smishing technique to distribute phishing websites via SMS or pretexting
  • The message templates are designed in a way to create a sense of panic.
  • The messages contain a shortened URL that redirects to a phishing website and look like: <bankname> is a subdomain provided by the Cloudflare Pages.
  • The malicious actor needs to sign up with Cloudflare Pages and any of the Git services (such as GitHub, GitLab, etc) to start the process of phishing.
  • The cloned website of the target entity is hosted, and after a few clicks, the phishing website is ready with a customized subdomain of the domain

How Cloudflare Pages Work

  • Cloudflare Pages is a JAMStack platform for front-end developers to collaborate and deploy dynamic front-end applications.
  • After signing up and verifying using an email ID, the user can get started.
  • There are three ways to set up a Pages Project:
    • Connecting the existing Git Provider (i.e. GitHub, GitLab, etc) to Cloudflare Pages
    • Deploying pre-built assets directly to Cloudflare Pages using direct uploads
    • Using Wrangler to deploy any project
  • The Cloudflare Pages feature is free to use for 500 builds per month. They also have Pro and Business plans available at USD 20 and USD 200 per month, respectively.
Related Read Sophisticated Phishing Toolkit Dubbed “NakedPages” for Sale on Cybercrime Forums

Impact & Mitigation

Impact Mitigation
  • Data collected can be sold on the dark web for monetary gain.
  • Loss of revenue and reputation of the brands being impersonated.
  • The PII and card detail shared by the victims can be exploited to conduct:
    • Social engineering attacks
    • Banking frauds
    • Identity thefts
  • Identify and report domains impersonating brand names and trademarks.
  • Create an inclusive awareness campaign to educate customers about the organization’s processes.
  • Create awareness among customers regarding malicious URLs.



[caption id="attachment_20530" align="aligncenter" width="609"]Phishing URL distributed via Smishing Phishing URLs distributed via Smishing[/caption]   [caption id="attachment_20531" align="aligncenter" width="1908"]Verified dashboard of Cloudflare Pages Verified dashboard of Cloudflare Pages[/caption]   [caption id="attachment_20532" align="aligncenter" width="1429"]Plans for Cloudflare Pages Plans for Cloudflare Pages[/caption] [caption id="attachment_20534" align="aligncenter" width="1024"]Screenshot of a phishing domain targeting a popular Indian Bank Screenshot of a phishing domain targeting a popular Indian Bank[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations