New Phishing Tactics: Cloudflare Workers, HTML Smuggling, and GenAI

Introduction

Cybersecurity researchers are ringing the alarm on new phishing campaigns exploiting Cloudflare Workers, HTML smuggling, and generative AI (GenAI) to target user credentials. These innovative techniques highlight the sophisticated strategies cybercriminals are deploying to bypass security measures and harvest sensitive information. To combat these threats, services like phishing takedown, online risk evaluation, stolen credentials detection, and darknet monitoring are essential in protecting against these advanced attacks.

Transparent Phishing with Cloudflare Workers

A novel phishing method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, leverages Cloudflare Workers to serve as reverse proxy servers. This technique intercepts traffic between victims and legitimate login pages, capturing credentials, cookies, and tokens. According to Netskope researcher Jan Michael Alcantara, this approach enables attackers to collect web request metadata, credentials, and even tokens used for multi-factor authentication (MFA).

In recent months, phishing campaigns hosted on Cloudflare Workers have surged, particularly targeting victims in Asia, North America, and Southern Europe across sectors such as technology, financial services, and banking. The number of distinct domains used in these campaigns jumped from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024. Phishing takedown services are becoming increasingly crucial to mitigate the impact of these sophisticated attacks.

HTML Smuggling: A Sophisticated Payload Delivery

HTML smuggling, a technique where malicious JavaScript assembles the malicious payload on the client side, is increasingly favored by threat actors. This method helps evade security protections by reconstructing and displaying phishing pages within the victim’s web browser. These phishing pages typically prompt users to sign in with Microsoft Outlook or Office 365 to view fake PDF documents, thereby capturing their login credentials. Utilizing online risk evaluation services can help identify and neutralize these threats before they cause significant damage.

Evolution of Phishing Techniques

One notable campaign involves invoice-themed phishing emails containing HTML attachments that masquerade as PDF viewer login pages. These pages steal users' email credentials before redirecting them to a URL hosting a fake "proof of payment."

Phishing-as-a-service (PhaaS) toolkits, such as Greatness, have also been employed to steal Microsoft 365 credentials and bypass MFA using AitM techniques. Attackers have incorporated QR codes within PDF files and utilized CAPTCHA checks to lure victims into providing their login details. Employing stolen credentials detection services can help organizations quickly identify and respond to compromised accounts.

Leveraging GenAI for Phishing

Threat actors are increasingly using generative AI to craft convincing phishing emails and deliver oversized malware payloads. These large files, often exceeding 100 MB, are designed to evade antivirus analysis by exploiting the size limits of scanning engines. Common malware delivered through this method includes Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT. Implementing darknet monitoring services can provide early warning signs of stolen credentials being sold or traded, allowing for swift action to mitigate potential breaches.

DNS Tunneling and Malvertising

Campaigns like TrkCdn, SpamTracker, and SecShow have adopted DNS tunneling to monitor when victims interact with phishing emails and click on malicious links. This technique involves embedding content in emails that perform DNS queries to attacker-controlled subdomains upon opening.

Additionally, malvertising campaigns have been observed using malicious ads in search engine results to distribute information stealers and remote access trojans such as SectopRAT. Fake pages mimicking financial institutions, like Barclays, have also been set up to deliver legitimate remote desktop software, allowing attackers to gain remote access under the guise of live chat support. Regular online risk evaluation can help organizations identify such deceptive tactics and protect against them.

Conclusion

The ever-evolving landscape of phishing attacks demands robust security measures and continuous vigilance. From the use of Cloudflare Workers and HTML smuggling to the exploitation of GenAI and DNS tunneling, cybercriminals are constantly finding new ways to outsmart security systems. As these sophisticated techniques become more prevalent, it is crucial to stay informed and implement comprehensive cybersecurity strategies. Phishing takedown services, online risk evaluation, stolen credentials detection, and darknet monitoring services are vital components in safeguarding sensitive information against these advanced phishing threats.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.