Malwarebytes warns that threat actors are abusing the free Cloudflare Pages service to host phishing portals, helping the phishing sites avoid detection by security scanners.
The attackers are building fake login pages impersonating banking, insurance, and healthcare entities. The pages are designed to harvest credentials as well as security questions and multifactor authentication codes.
“From the victim’s point of view, nothing seems unusual beyond an odd-looking link and a failed sign-in,” the researchers write. “For the attackers, the mix of free hosting, compromised redirectors, and Telegram-based exfiltration gives them speed, scale, and resilience.
“The bigger trend behind this campaign is clear: by leaning on free web hosting and mainstream messaging platforms, phishing actors avoid many of the choke points defenders used to rely on, like single malicious IPs or obviously shady domains. Spinning up new infrastructure is cheap, fast, and largely invisible to victims.”
Malwarebytes offers the following advice to help users avoid falling for these attacks:
- “Always check the full domain name, not just the logo or page design. Banks and health insurers don’t host sign-in pages on generic developer domains like *.pages[.]dev, *.netlify[.]app, or on strange paths on unrelated sites.
- “Don’t click sign-in or benefit links in unsolicited emails or texts. Instead, go to the institution’s site via a bookmark or by typing the address yourself.
- “Treat surprise ‘extra security’ prompts after a failed login with caution, especially if they ask for answers to security questions, card numbers, or email passwords.
- “If anything about the link, timing, or requested information feels wrong, stop and contact the provider using trusted contact information from their official site.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Malwarebytes has the story.
