By NewsBlogger Researchers have identified a surge in cybersecurity threats involving phishing campaigns using Cloudflare Workers to target popular email services. Attackers are utilizing HTML smuggling techniques and GenAI to steal sensitive information across various sectors and regions.
At a glance
- Phishing campaigns using Cloudflare Workers target popular email services.
- The attack method involves capturing sensitive information like credentials and tokens.
- Perpetrators use HTML smuggling techniques to evade security protections.
- Email-based phishing attacks leverage PhaaS toolkits to steal Microsoft 365 login credentials.
- Threat actors use GenAI to craft phishing emails and deliver malware payloads.
The details
Researchers have identified a recent surge in cybersecurity threats. They have uncovered phishing campaigns utilizing Cloudflare Workers to target popular email services such as Microsoft, Gmail, Yahoo!, and cPanel Webmail.
This attack method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, involves using Cloudflare Workers to capture sensitive information such as credentials, cookies, and tokens.
These phishing campaigns, which have been observed targeting victims in Asia, North America, and Southern Europe across various sectors, including technology, financial services, and banking, have seen a notable increase in traffic to Cloudflare Workers-hosted phishing pages in Q2 2023. The number of distinct domains hosting these malicious activities has also spiked during this period.
To evade security protections, the perpetrators have resorted to using HTML smuggling techniques to deploy attacks on targeted systems.
This method involves reconstructing phishing pages that are then displayed to unsuspecting users on web browsers.
Victims are typically lured into signing in with their Microsoft Outlook or Office 365 credentials under the pretense of viewing a PDF document, thereby enabling the harvesting of credentials and multi-factor authentication (MFA) codes.
Furthermore, email-based phishing attacks have taken on various forms, with threat actors leveraging phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials.
These malicious activities have targeted entities in sectors such as financial services, manufacturing, energy/utilities, retail, and consulting in regions including the U.S., Canada, Germany, South Korea, and Norway.
In addition, threat actors use generative artificial intelligence (GenAI) to craft phishing emails and deliver compressed file attachments containing large malware payloads has been noted.
The file inflation method delivers additional malware, such as Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT.
Campaigns such as TrkCdn, SpamTracker, and SecShow are leveraging Domain Name System (DNS) tunneling to monitor targets and track spam delivery.
Moreover, malvertising campaigns employ malicious ads for popular software in search engine results to deceive users into unwittingly installing information stealers and remote access trojans.
Acknowledging the adversarial use of GenAI for exploit development and deepfake generation is critical, highlighting the necessity for robust security measures to combat these increasingly sophisticated cyber threats.
Bad actors have also been reported setting up counterfeit pages mimicking financial institutions to distribute legitimate remote desktop software like AnyDesk under the guise of offering live chat support.
Article X-ray
Sources
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – Cybersecurity researchers have identified phishing campaigns using Cloudflare Workers to serve phishing sites targeting Microsoft, Gmail, Yahoo!, and cPanel Webmail credentials – The attack method, called transparent phishing or adversary-in-the-middle (AitM) phishing, uses Cloudflare Workers to capture credentials, cookies, and tokens – Phishing campaigns hosted on Cloudflare Workers have targeted victims in Asia, North America, and Southern Europe, across technology, financial services, and banking sectors – An increase in traffic to Cloudflare Workers-hosted phishing pages was observed in Q2 2023, with a spike in the total number of distinct domains – Phishing campaigns use HTML smuggling to evade security protections and deploy attacks on targeted systems – Malicious payloads are phishing pages reconstructed and displayed to users on web browsers – Phishing pages urge victims to sign in with Microsoft Outlook or Office 365 to view a PDF document, harvesting credentials and multi-factor authentication (MFA) codes – HTML smuggling is favored by threat actors to bypass modern defenses and serve fraudulent HTML pages and malware – Email-based phishing attacks have taken various forms, including leveraging phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials – Financial services, manufacturing, energy/utilities, retail, and consulting entities in the U.S., Canada, Germany, South Korea, and Norway are top sectors targeted by Greatness PhaaS – Threat actors are using generative artificial intelligence (GenAI) to craft phishing emails and deliver compressed file attachments containing large malware payloads – File inflation method is used to deliver additional malware like Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT – Adversarial use of GenAI for exploit development and deepfake generation underscores the need for robust security measures – Campaigns like TrkCdn, SpamTracker, and SecShow are leveraging Domain Name System (DNS) tunneling to monitor targets and track spam delivery – Malvertising campaigns use malicious ads for popular software on search engine results to trick users into installing information stealers and remote access trojans – Bad actors set up counterfeit pages mimicking financial institutions to deliver legitimate remote desktop software like AnyDesk under the guise of offering live chat support |
