Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling

May 28, 2024, 12:59 p.m.

Description

Netskope Threat Labs has been tracking an increase in phishing campaigns hosted on Cloudflare Workers. The campaigns use techniques like HTML smuggling and transparent phishing to evade detections. The phishing pages target Microsoft and Google credentials. Netskope recommends inspecting web traffic to detect and block phishing sites.

External References

https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling
https://otx.alienvault.com/pulse/6655cfcbf3aed7004fc047e4
Tags
phishing
credential theft
2024-05-28
html smuggling
cloudflare workers

Date

  • Created: May 28, 2024, 12:36 p.m.
  • Published: May 28, 2024, 12:36 p.m.
  • Modified: May 28, 2024, 12:59 p.m.

Indicators

  • yellow-recipe-c615.wl5n4b9b.workers.dev
  • wood-82c2.jayden1077.workers.dev
  • voice-chat-e42b.gzklq0kj.workers.dev
  • wilmse-d767.eoethehorbmnlkntua.workers.dev
  • uniame-2818.carirentfrsae.workers.dev
  • ungamj-98bc.neglmlnaay.workers.dev
  • undec-ab94.djuleircendku.workers.dev
  • ueana-a505.ncaielazulep.workers.dev
  • still-poetry-77cd.uitsnnassdtaa3215.workers.dev
  • shiny-bar-1128.javion1086.workers.dev
  • shhared-sea-d6d3.krystengraff.workers.dev
  • sheetrm-1c7f.krystengraff.workers.dev
  • sheets-term-2b6f.amariruth.workers.dev
  • sheetg-a014.tyron1133.workers.dev
  • sharedsing-2723.emmalopes.workers.dev
  • sheeetss-99b3.sbretasaheliba.workers.dev
  • shared-grass-549a.uriahmontague.workers.dev
  • share-wcloud-4b35.uytsaiteqcnljwr.workers.dev
  • share-one-paper-46a2.rilceharrlyeav.workers.dev
  • run-sun-a3dc.santanaharmon.workers.dev
  • shadoc-unit-d523.einureqbaftjc.workers.dev
  • share-field-7570.yralecaeaghnrsn.workers.dev
  • recore-3b5e.ilimamecasm.workers.dev
  • reconnec-tree-fb13.aybnmmtiluah.workers.dev
  • rondoc-b7ce.lvauayt.workers.dev
  • proposal-ce2a.cullen1015.workers.dev
  • pucoby-5cc9.idkiahstknaa.workers.dev
  • projeeect-sunset-27f3.citlaliheck.workers.dev
  • project-base-4b4d.tierfaitneuro.workers.dev
  • profile-auth-51b7.s9afo8oi.workers.dev
  • penca-cbd8.ilodnswfalen.workers.dev
  • orange-math-f65b.naacraleindir.workers.dev
  • oudslc-docs-4c58.pchgpwahni.workers.dev
  • orebu-cloud-3bde.lwvemrlaensi.workers.dev
  • nuclo-b1bb.laseiphnel.workers.dev
  • onionss-78f4.eihnialonmfre.workers.dev
  • omudipe-3e72.itrlcuvapioelcr.workers.dev
  • munal-ed0b.lsoysraiae.workers.dev
  • misty-pond-905a.skniapeoosrp4335.workers.dev
  • mursu-e366.irakfflazrtgy.workers.dev
  • messges-bar-9caa.yilurqr6.workers.dev
  • lucky-mountain-1a8a.88d2jrux.workers.dev
  • lucky-cloud-09ff.gehabumferv.workers.dev
  • inv-shee-0d26.ieislnqveulte.workers.dev
  • late-river-17c7.pn2dotnx.workers.dev
  • jundoc-sunset-a630.trumneannmseretan.workers.dev
  • hycloud-c6f3.ylunndoiclrdaa.workers.dev
  • inboxx-89f1.nkbrehmyetae.workers.dev
  • id-dew-ad5f.gzklq0kj.workers.dev
  • hero-thunder-ef0c.lexiegamboa.workers.dev
  • heets-sun-8ff8.bethbess.workers.dev
  • haluuu.aardhnrscidcahr.workers.dev
  • greg-56e7.lleabtiswhe.workers.dev
  • ground-violet-e1ad.jackreedy.workers.dev
  • grehu-6d48.aedlripreaz.workers.dev
  • gentle-feather-d68f.ansley1024.workers.dev
  • green-shared-211d.ecormllhoi.workers.dev
  • gentle-voice-fa8b.epd5tuee.workers.dev
  • generals-dawn-cf0d.dnayipmrindk.workers.dev
  • frosty-document-5022.dscgs8xo.workers.dev
  • geea-d27e.elrtuearsddecul.workers.dev
  • fragrant-mode-6a69.trnnnraibaomti.workers.dev
  • field-6344.kaley1087.workers.dev
  • filrem-clouds-f600.larerercgbanelu.workers.dev
  • falling-hall-35ca.bzefiragnloe1965.workers.dev
  • fancy-cherry-de6f.8n2jthl6.workers.dev
  • enjucm-6424.anotudhoeah.workers.dev
  • encaon-568f.adademord.workers.dev
  • egfyua-winter-sea-8755.smilingpurple.workers.dev
  • dry-scene-66f4.so3yeui8.workers.dev
  • dooocss-5d06.uerupmmllyd.workers.dev
  • drecloud-1fce.eteispafntejrntan.workers.dev
  • doooc-cebf.rglegagaoali.workers.dev
  • doocloud-323b.teerhanlnuchmar.workers.dev
  • doccc-inv-5685.fsealerly.workers.dev
  • dooc-dar-b916.slrheeibtuebsid.workers.dev
  • dhocs-haze-a290.nuiblalrlewln.workers.dev
  • danu-8a19.nldatwuiassdreeio.workers.dev
  • dark-river-79b4.jamar1026.workers.dev
  • d0ocs-ow-9c42.nganarxnksoroo.workers.dev
  • crownjul-dreasm-7206.olinltjsacnrai.workers.dev
  • crimson-flower-941f.3invyzig.workers.dev
  • crimson-cell-4c00.9kgfjtlv.workers.dev
  • crdoc-term-8097.kasrhienddnhasae.workers.dev
  • coreplesk-cake-7dbf.leacshlenmmdgza.workers.dev
  • core-bonus-3844.caileymcclendon.workers.dev
  • clouuu-1faa.uicnotksbreal.workers.dev
  • cold-frost-1951.enktcrljfezatoa6437.workers.dev
  • clouuss-c438.eniatolitse.workers.dev
  • clouud-1ea1.ehebarotnittk.workers.dev
  • clouuds-haze-bca9.esalasaimr-c19.workers.dev
  • cloudsss-e610.rnailruarffoi.workers.dev
  • clouds-tree-bbeb.lexiegamboa.workers.dev
  • clous-lab-662a.tlavaeonryersvs.workers.dev
  • clouds-scene-ed7a.emiliafalk.workers.dev
  • clouds-tain-fce5.cmcayeyuhnaess.workers.dev
  • clouds-scene-ad2d.alessandraquinn.workers.dev
  • clouds-pine-bd47.iodoeamnnsc.workers.dev
  • clouds-ocd-87e8.nswoadaas.workers.dev
  • clouds-inv-2f38.oednlakueupsap.workers.dev
  • clouds-frog-f374.yralecaeaghnrsn.workers.dev
  • clouds-cake-4525.teairncakli.workers.dev
  • clouds-bird-906f.inlukbatehret.workers.dev
  • cloude-dd47.aeancsesekhi.workers.dev
  • cloudl-191c.aoapuulz.workers.dev
  • clouds-33b3.citlaliheck.workers.dev
  • cloudd-9049.tolevilmtohean.workers.dev
  • cloude-15e5.karsonjacobsen.workers.dev
  • clouddd-1d8c.eleutamdcdla.workers.dev
  • cloudd-5d85.eatsosyannatr.workers.dev
  • cloud-new-grass-82b7.ptakptasyenlki.workers.dev
  • cloud-init-8373.nuzsidlneae.workers.dev
  • cloud-base-3540.jalincrowe.workers.dev
  • cloud-connectors-a7ad.liis6wf5.workers.dev
  • cloud-3300.lnrtygtenaeailce.workers.dev
  • cloouds-bar-84ac.slrheeibtuebsid.workers.dev
  • cloosud-776c.lnskeaysldoavar.workers.dev
  • cloicel-8251.uckldadoaierbex.workers.dev
  • chatss-feather-5154.eebufrdrrmsngueum.workers.dev
  • chaaat-a150.ahiamsomkyyuo.workers.dev
  • chare-docs-a528.rdleajodex.workers.dev
  • blou-79bc.hedozriikbe.workers.dev
  • bitter-glitter-3cd5.epd5tuee.workers.dev
  • basedbar-df19.joanapatterson.workers.dev
  • autumn-recipe-1448.5o662488.workers.dev
  • autumn-haze-7b45.fhzpzvz6.workers.dev
  • assets-wind-7719.coralcleary.workers.dev
  • asset-meadow-2e67.karsonjacobsen.workers.dev
  • aged-sunset-c81b.debra1027.workers.dev
  • aoelc-0218.ralaeyrifh.workers.dev
  • ancient-smoke-63e4.95lolkc8.workers.dev
  • aged-meadow-3eab.iywxz2kh.workers.dev
  • a0tuh-do.uhirrc.workers.dev
  • aemus-a2b8.buaiteircsskeor.workers.dev
Download all indicators here!

Attack Patterns

  • T1566.002
  • T1566.001
  • T1566
  • T1133