|Category: Adversary Intelligence||Industry: Finance and Banking||Motivation: Financial||Region: India||Source*: A1|
- CloudSEK’s contextual AI digital risk monitoring platform XVigil uncovered yet another improvised modus operandi used by threat actors to target banking customers in India through a phishing campaign.
- Previously, CloudSEK researchers discovered a method where cybercriminals exploited reverse tunnel services and URL shorteners to launch large-scale phishing campaigns.
- In this new modus operandi, threat actors are misusing another service, i.e Cloudflare Pages (a JAMStack platform) to target Indian banking customers.
- The threat actors are using the smishing technique to distribute phishing websites via SMS or pretexting
- The message templates are designed in a way to create a sense of panic.
- The messages contain a shortened URL that redirects to a phishing website and look like: <bankname>.pages.dev. pages.dev is a subdomain provided by the Cloudflare Pages.
- The malicious actor needs to sign up with Cloudflare Pages and any of the Git services (such as GitHub, GitLab, etc) to start the process of phishing.
- The cloned website of the target entity is hosted, and after a few clicks, the phishing website is ready with a customized subdomain of the domain pages.dev.
- Cloudflare Pages is a JAMStack platform for front-end developers to collaborate and deploy dynamic front-end applications.
- After signing up and verifying using an email ID, the user can get started.
- There are three ways to set up a Pages Project:
- Connecting the existing Git Provider (i.e. GitHub, GitLab, etc) to Cloudflare Pages
- Deploying pre-built assets directly to Cloudflare Pages using direct uploads
- Using Wrangler to deploy any project
- The Cloudflare Pages feature is free to use for 500 builds per month. They also have Pro and Business plans available at USD 20 and USD 200 per month, respectively.
Impact & Mitigation
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- Get started · Cloudflare Pages docs