Cloudflare developer domains increasingly abused by threat actors

Security pros from Fortra spot new phishing campaign abusing two Cloudflare domains
Pages, and Workers, are being used to bypass email protections and redirect people to phishing pages
The activity has risen significantly this year

Cybercriminals are abusing two Cloudflare domains to facilitate phishing attacks and push malware to their victims, researchers have claimed.

New research from cybersecurity experts Fortra claims the trend is on the rise, especially compared to 2023.

The domains, called ‘pages.dev’ and ‘workers.dev”, are used to deploy web pages and serverless computing, and given Cloudflare’s good standing in the general public’s eye, allow the crooks to bypass different endpoint protection tools and successfully compromise their targets.

A surge in abuse

Pages is a free platform where front-end developers can deploy and host static websites, or JAMstack applications, directly from their Git repository, and into Cloudflare’s Content Delivery Network (CDN).

Workers, on the other hand is a serverless platform for deploying and running JavaScript, TypeScript, or Rust code at the edge to build scalable and performant applications.

Crooks, however, use it to host intermediary phishing pages that redirect victims towards actually malicious sites. The attack starts with the usual phishing email, urging the victim to address a problem immediately. The email either carries a .PDF file, or a link in the body itself. However, since the link is towards Cloudflare’s domains, most email security solutions don’t flag it as suspicious, or malicious.

Victims are also more likely to put their guard down after seeing Cloudflare’s name in the link, or the PDF file.

“Fortra’s SEA team has observed a 198% increase in phishing attacks on Cloudflare Pages, rising from 460 incidents in 2023 to 1,370 incidents as of mid-October 2024,” the company said in its report. “With an average of approximately 137 incidents per month, the total volume of attacks is expected to surpass 1,600 by year-end, representing a projected year-over-year increase of 257%.”

Workers aren’t faring much better, either. “We have witnessed a 104% surge in phishing attacks on this platform, climbing from 2,447 incidents in 2023 to 4,999 incidents year-to-date,” the researchers added.

“Currently averaging 499 incidents per month, the total volume is expected to reach almost 6,000 by year-end, reflecting a projected 145% increase compared to the previous year.”

All phishing starts the same way – with an email message demanding urgent attention. It can be a pending invoice, a returning parcel, a security alert, or a time-sensitive giveaway. This fear of missing out, or worsening things, makes victims spring into action without considering what they’re doing. As a result, they often share their login credentials with the attackers, install malware on their computers, or even share banking and other finance data.

The best way to defend against phishing is to use common sense, and be careful when reading emails and opening attachments, even if they’re coming from seemingly reputable sources such as Cloudflare.

Via BleepingComputer