Cloudflare’s developer domains increasingly abused by threat actors

Cloudflare's 'pages.dev' and 'workers.dev' domains, used for deploying web pages and facilitating serverless computing, are being increasingly abused by cybercriminals for phishing and other malicious activities.

According to cybersecurity firm Fortra, the abuse of these domains has risen between 100% and 250% compared to 2023.

The researchers believe the use of these domains is aimed at improving the legitimacy and effectiveness of these malicious campaigns, taking advantage of Cloudflare's trusted branding, service reliability, low usage costs, and reverse proxying options that complicate detection.

Cloudflare Pages abuse

Cloudflare Pages is a platform designed for front-end developers to build, deploy, and host fast, scalable websites directly on Cloudflare's global Content Delivery Network (CDN).

It features static site hosting, supports a range of modern web app deployment frameworks, and offers SSL/TLS encryption by default, ensuring HTTPS connections without requiring additional configuration.

Fortra reports that Cloudflare Pages has become a tool for cybercriminals who abuse it by hosting intermediary phishing pages that redirect victims to malicious sites such as fake Microsoft Office365 login pages.

Microsoft 365 phishing page
Source: Fortra

Victims are led there through links embedded in fraudulent PDFs or on phishing email bodies, which are not flagged by security products thanks to Cloudflare's reputation.

"Fortra's SEA team has observed a 198% increase in phishing attacks on Cloudflare Pages, rising from 460 incidents in 2023 to 1,370 incidents as of mid-October 2024," reports Fortra.

"With an average of approximately 137 incidents per month, the total volume of attacks is expected to surpass 1,600 by year-end, representing a projected year-over-year increase of 257%."

Abuse of Cloudflare Pages in numbers
Source: Fortra

Fortra also notes that the threat actors use the "bccfoldering" tactic to hide the scale of their email distribution campaigns.

"Unlike the cc field, which displays the recipients, bccfoldering hides the recipients by adding them only to the email envelope, not the headers," explains Fortra.

"This makes the recipients undetectable unless the server is configured to reveal them. This tactic is used by the adversary to conceal the scale of the phishing campaign, as concealed recipients can make it difficult to detect how large the phishing campaign is."

Phishing email containing a link to a Cloudflare Pages domain
Source: Fortra

Cloudflare Workers abuse

Cloudflare Workers is a serverless computing platform that allows developers to write and deploy lightweight applications and scripts directly on Cloudflare's edge network.

Their legitimate uses include API deployment, content optimization, custom firewall and CAPTCHA implementation, task automation, and the creation of microservices.

Fortra has seen a surge in the abuse of Workers, too, including for carrying out Distributed Denial of Service (DDoS) attacks, deploying phishing sites, injecting harmful scripts onto the target's browser, and brute-forcing account passwords.

In one case highlighted by the researchers, Cloudflare Workers is abused for hosting a human verification step in a phishing process to add legitimacy.

Verification step used in a phishing campaign
Source: Fortra

"We have witnessed a 104% surge in phishing attacks on this platform [Cloudflare Workers], climbing from 2,447 incidents in 2023 to 4,999 incidents year-to-date," reads the Fortra report.

"Currently averaging 499 incidents per month, the total volume is expected to reach almost 6,000 by year-end, reflecting a projected 145% increase compared to the previous year."

Volume of Cloudflare Workers abuse
Source: Fortra

Users can defend against phishing that abuses legitimate services by verifying the authenticity of the URLs they're on when asked to enter sensitive information.

Finally, activating extra account security steps such as two-factor authentication can help prevent takeovers even when the credentials are compromised.