Freely subscribe to our NEWSLETTER

 
Introduction to the Threat

Fortra’s Suspicious Email Analysis (SEA) team has observed a nearly 200% increase of phishing attacks on Cloudflare Pages since last year and a more than 104% increase in abuse of Cloudflare Workers this year alone. A variety of different threats may be hosted on Cloudflare Pages, including phishing redirects, phishing pages and targeted email lists. Cloudflare Pages, like any web hosting or content delivery platform, can potentially be abused by threat actors for phishing if not monitored or managed properly. Additionally, malicious actors may abuse Cloudflare Workers to conduct Distributed Denial of Service (DDoS) attacks, exfiltrate user data, and more.

Fortra’s SEA team has observed a 198% increase in phishing attacks on Cloudflare Pages, rising from 460 incidents in 2023 to 1,370 incidents as of mid-October 2024. With an average of approximately 137 incidents per month, the total volume of attacks is expected to surpass 1,600 by year-end, representing a projected year-over-year increase of 257%.

Cloudflare Workers Threat Statistics
Much like Cloudflare Pages, threats utilizing Cloudflare Workers has also seen a large increase. We have witnessed a 104% increase in phishing attacks on Cloudflare Pages, rising from 2,447 incidents in 2023 to 4,999 incidents in 2024 to date. With an average of 499 incidents per month, the total volume of attacks is expected almost reach 6,000 by year-end, representing a projected year-over-year increase of 145%.

Cloudflare Pages is enticing to legitimate developers and threat actors for most of the same reasons. Cloudflare Pages offers fast, secure, and scalable site deployment with a global CDN, easy Git integration, and built-in security features like HTTPS and DDoS protection. Cloudflare’s global CDN ensures that page’s load quickly and reliably across regions, increasing their effectiveness and reach. It supports JAMstack architecture, which consists of JavaScript, APIs and Markup language and integrates with Cloudflare Workers, making it ideal for developers building static or serverless applications.
Cloudflare Pages can be an attractive target for phishing attacks due to several factors. Its strong reputation and trusted brand are easy for attackers to exploit by setting up fake sites that appear legitimate, leveraging Cloudflare’s infrastructure to deceive victims. Additionally, Cloudflare Pages offers free and easy-to-use hosting, enabling cybercriminals to quickly deploy phishing sites with minimal resources or technical skills.
The platform’s global CDN ensures fast and reliable performance, making phishing pages more effective by increasing their reach before being detected or taken down. Cloudflare’s automatic SSL/TLS encryption also adds a layer of legitimacy to these phishing sites, as users are more likely to trust sites with secure HTTPS connections. Furthermore, attackers can use custom domains and URL masking to make phishing sites appear more authentic, while Cloudflare’s reverse proxying makes it harder for security systems to trace the origin of malicious content.

Cloudflare Pages Phishing Redirect
Frequently observed by Fortra are phishing redirects utilizing Cloudflare’s Pages.dev sites. Redirects exist to hide phishing links, evade security measures and increase the likelihood of phishing scams being delivered by making users think they are clicking a trusted link. These attacks commonly start with an email, like the one pictured below, where the victim is asked to review or download a document.

The URL will download a fraudulent PDF document which contains a phishing redirect leading to the next phase of the attack. In this case, the user needs to download another document claiming to be a Company Proposal from Microsoft OneDrive. When hovering over the “Open” button, a malicious Cloudflare Pages URL is visible which takes the user to the final page of the phishing attack.

Cloudflare Workers
Cloudflare Workers is a serverless computing platform offered by Cloudflare that allows developers to deploy and run JavaScript code directly at the edge of Cloudflare’s CDN. This enables them to execute code client-side, on the user’s device rather than on a server, reducing latency and improving performance for web applications.
Cloudflare Workers, while designed to enhance web performance and security, can be misused for malicious purposes. Attackers might exploit them to conduct Distributed Denial of Service (DDoS) attacks, deploy phishing sites, exfiltrate sensitive user data, execute malicious redirects, inject harmful scripts, bypass security controls, or automate various attacks like brute-force login attempts.

Conclusion

Cloudflare has several security measures in place to combat abuse, including threat detection systems, phishing detection, and user reporting mechanisms to take down malicious content. Despite these efforts, cybercriminals can still exploit the platform before malicious content is detected. The risk is in how cybercriminals are misusing the service, and not in the technology itself.
Users can protect themselves from phishing by following several best practices. First, they should be cautious when interacting with unfamiliar websites, especially those requesting personal or sensitive information. Verifying the legitimacy of URLs and ensuring that the domain matches the expected source can help identify phishing attempts. Additionally, enabling two-factor authentication (2FA) for accounts adds an extra layer of security.
Developers using Cloudflare Pages should implement strong security measures such as regularly updating their site’s dependencies, using HTTPS for secure connections, and monitoring for suspicious activity. It’s also important to report any phishing attempts or malicious activity to Cloudflare for further investigation and takedown, helping to prevent wider abuse.