Phishing Gangs Exploit Cloudflare's Pages and Workers.dev Domains Targeted at Developers

Cloudflare's Pages.dev and Workers.dev domains, primarily designed for web deployment and facilitating serverless computing for developers, are increasingly being exploited for malicious activities by phishing gangs.

A report by cybersecurity firm Fortra indicates a 100% to 250% rise in the misuse of these domains compared to 2023, predominantly redirecting to phishing and other malicious sites.

Researchers believe these domains are chosen by criminal groups to lend an air of legitimacy and effectiveness to their nefarious activities, leveraging Cloudflare's reputation, reliability, low cost, and complicating security detection efforts.

Cloudflare Pages offers static website hosting for frontend developers with default SSL/TLS encryption, eliminating the need for server setup and environment configuration. Criminal groups primarily use this feature to design redirect sites, with an intermediary page automatically forwarding to phishing sites, while disseminating the intermediary page via email using the pages.dev domain. Due to Cloudflare's positive reputation, some security software fails to mark pages.dev links as malicious, lowering the guard of potential victims who, upon clicking, are redirected through Cloudflare to phishing sites.

Cloudflare Workers, a serverless computing platform, allows developers to write and deploy lightweight applications and scripts directly on Cloudflare's edge network. Criminals exploit this service to deploy DDoS attacks, phishing sites, and harmful scripts to browsers.

The primary area for improvement likely lies with security software since many services offer public domain hosting across the internet. Security software should not automatically trust domains from major platforms.

While Cloudflare should monitor and combat misuse, it's challenging to timely block all instances of abuse, a common issue for platforms offering public hosting.

According to Fortra's statistics, phishing attacks hosted through Cloudflare Workers rose from 2,447 incidents in 2023 to 4,999 up to now in 2024, with projections reaching 6,000 by the end of the month.

Addressing this abuse problem may require a joint effort from the industry to improve content discernment and identification efficiency. Most importantly, end-users should enable 2FA (Two-Factor Authentication) to reduce security risks.