Hackers Exploit Cloudflare and Zendesk Pages in Sophisticated Phishing Campaign to Steal User Credentials
A new wave of phishing attacks is exploiting the credibility of trusted cloud platforms like Cloudflare Pages and Zendesk to execute large-scale credential theft operations. Security researchers have uncovered an elaborate infrastructure of malicious domains designed to impersonate legitimate customer support portals, revealing an alarming escalation in the use of reputable cloud services for social engineering.
Trusted Platforms Turned Against Users
Threat actors have begun leveraging Cloudflare Pages and Zendesk—platforms widely recognized for hosting legitimate business and customer service content—to deploy phishing pages that appear genuine to unsuspecting users.
According to Arda Büyükkaya, a cyber threat intelligence analyst at EclecticIQ, over 600 malicious domains were discovered under the *.pages.dev structure, indicating a highly organized and sustained campaign.
These fake domains use typosquatting, a deceptive technique where attackers register addresses that closely mimic those of well-known brands or services. By doing so, attackers trick users into believing they are engaging with a trusted company’s official portal.
AI-Generated Phishing and Real-Time Human Interaction
Unlike typical phishing pages, these fraudulent sites employ artificial intelligence to generate dynamic and professional-looking content. Once victims land on a spoofed support page, they encounter a live chat interface staffed by real human operators—adding a convincing layer of authenticity.
These operators pose as customer support representatives, requesting personal details such as phone numbers and email addresses under the pretense of verifying the user’s identity or assisting with a technical issue.
After establishing trust, the operators prompt victims to install “Rescue”, a legitimate remote monitoring and assistance tool. When deployed on the victim’s system, however, it grants full remote access to the attackers, enabling them to harvest sensitive files, passwords, and session tokens.
Advanced Tactics: SSO Poisoning and Search Engine Abuse
The campaign also incorporates advanced techniques such as SSO poisoning through Google Site Verification and Microsoft Bing Webmaster tokens. By manipulating these verification mechanisms, attackers can make their fake pages appear legitimate to search engines and users alike—boosting visibility and evading early detection.
This combination of AI-driven content, social engineering, and abuse of legitimate tools highlights a growing evolution in phishing tactics. Attackers are no longer merely imitating trusted services—they are now embedding themselves within the same trusted infrastructure those services provide.
Implications for Cybersecurity Defenses
This attack underscores a critical challenge for defenders: the weaponization of legitimate cloud platforms. Organizations rely on services like Cloudflare and Zendesk for reliable hosting, but that same trust can be exploited when threat actors use these infrastructures for malicious ends.
Security teams must now extend monitoring beyond traditional suspicious domains to include legitimate hosting providers. Detection strategies should incorporate:
-
Continuous domain reputation monitoring
-
AI and heuristic-based detection for typosquatting
-
Verification of SSO integrations and webmaster tokens
-
Employee education on identifying sophisticated phishing interactions
No comments:
Post a Comment