Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

It’s Raining Phish and Scams – How Cloudflare Pages.dev and Workers.dev Domains Get Abused

As they say, when it rains, it pours. Recently, we observed more than 3,000 phishing emails containing phishing URLs abusing services at workers.dev and pages.dev domains.

What is .dev Top Level Domain (TLD)?

The .dev  top-level domain name is operated by Google. It is incorporated on the HTTP Strict Transport Security (HSTS) preload list, requiring HTTPS on all .dev domains without individual HSTS enlistment.

Cloudflare Pages vs Workers

Both pages.dev and workers.dev domains are part of Cloudflare’s web development and hosting services. Even though both of these domains offer web development services under Cloudflare, there’s some significant differences between them.

In Cloudflare Pages, the developers can deploy their project by connecting to a Git provider, while in Cloudflare Workers, it provides a serverless execution environment. With workers.dev, you can build your page and deploy it using your local resources.

Comparing the two Cloudflare services, despite the free trial offered in workers.dev it seems pages.dev is the most abused domain, probably because of the convenience and benefit of using a Git provider like GitHub in web development.

Abused Cloudflare Domains in Phishing Emails

As mentioned earlier, we observed a lot of phishing emails containing URLs using the domains pages.dev or workers.dev. Most of the phishing emails mimicking different companies using different alarming subjects related to payment details, voicemails, pending inquiries, etc. Some of the URLs in these emails used *.pages.dev as redirection, and some are the actual phishing page.

Phishing email mimicking financial services company:

BSL_20229_image002

Figure 1. The email header containing spoofed rom address pretending to be from Westpac

BSL_20230_image004

Figure 1.1 Email body containing details about the payment made though Westpac

The email body also contains a phishing URL link that uses the pages.dev domain and contains the recipient’s email in the URL path.

BSL_20231_image006

Figure 2. Screenshot of the actual phishing URL hxxp://a211a49a8bb35[.]pages[.]dev/?email={email address}

Phishing email with URL redirection:

BSL_20232_image008

Figure 3. The email header contains malicious mailer[.]php in X-PHP-Script

The mailer script sondakikatokathaberleri[.]name[.]tr/hash/demo/mailer.php was used to compose and send the phishing email to the recipient.

BSL_20233_image010

Figure 3.1 Screenshot of sondakikatokathaberleri[.]name[.]tr/hash/demo/mailer.php

However, the domain sondakikatokathaberleri[.]name[.]tr seems to be a WordPress site still under construction.

BSL_20234_image012

Figure 3.2 Screenshot of sondakikatokathaberleri[.]name[.]tr

BSL_20235_image014

Figure 4. The email body that requires recipient for account update

The email body contains a clickable link that contains the original URL hxxps://3f303073[.]45564355zezdfxc56e667[.]pages.dev/qrdcxw52463f86302yh72-fe4367z and it contains JavaScript hosted on a pages.dev site that redirects to hxxps://helpsana[.]ro/wp-hash/1/index4[.]php which is the actual phishing page.

BSL_20236_image016

Figure 4.1 Screenshot of the source code of the URL containing phishing redirection

BSL_20237_image018

Figure 4.2 Screenshot of the phishing URL hxxps://helpsana[.]ro/wp-hash/1/index4[.]php

Other Phishing URLs with Cloudflare Pages and Workers

A phishing URL using pages.dev was also seen targeting Microsoft. The source code contains an atob function and uses a variable containing the Base64 string. The atob function decodes a string which has been encoded in Base64 encoding.

BSL_20238_image020

Figure 5. Screenshot of the actual phishing URL hxxps://1-d0asfasfjhasfa7979352jhasf.pages[.]dev/

However, when the Base64 string was decoded, it contained the URL hxxps://tutu57tututut[.]000webhostapp[.]com/don[.]php where the stolen credentials will be stored.

BSL_20239_image023

BSL_20240_image026

Figure 5.1 Screenshot of the source code with usage of variable ‘olafatob’

Below is another sample of a phishing URL that uses the workers.dev domain targeting Dropbox. The page uses a similar decoding or obfuscation technique using the atob function.

BSL_20241_image028

Figure 6. Screenshot of Phishing URL

hxxps://ancient-salad-4674.mmrctliacetgliue504[.]workers[.]dev/87c03eda-fdd4-4125-bf73-1b161178699a 

BSL_20242_image030

Figure 7. Screenshot of the encoded source code and usage of atob function

Cloudflare Pages and Workers in VirusTotal

On the other hand, over a 90-day period we observed in VirusTotal that there were at least 60,000 URLs containing the workers.dev domain, and the majority were being used in phishing activity.

BSL_20243_image032

Figure 8. Screenshot of a sample of URLs queried in VirusTotal with workers.dev

Meanwhile, at least 65,000 pages.dev URLs were also seen for the past 90 days. More than 11,000 URLs were related to scam or fake news, and they are being blocked only by Trustwave:

BSL_20244_image034

Figure 9. Screenshot of the URLs query in VirusTotal

BSL_20245_image036

Figure 10. Screenshot of the fake news site

These scam URLs use keywords like cash, money, job, etc. on the domain name followed by 1-3 digits and often contain URL links that redirect to another scam site.

BSL_20246_image038

Figure 11. Screenshot of the sample redirection to another scam URL

As of this writing, some of the scam or phishing URLs have already been taken down by Cloudflare due to malicious activity.

Conclusion

We are seeing a huge number of phishing and scam pages abusing these .dev Cloudflare services. Some phishers abused the free web services in a large-scale way. We need to be very wary of pages.dev and workers.dev links that we see in email. Most of the phishing or even scam pages we’re seeing use redirection or encoded strings in page content to avoid getting easily detected by AV products. However, Trustwave MailMarshal has protections for these campaigns.

Staying vigilant and updated on the latest threats is the most powerful key to avoid becoming a victim of such phishing or scams.

IOCs

URLs

hxxp://a211a49a8bb35[.]pages[.]dev/

hxxps://3f303073[.]45564355zezdfxc56e667[.]pages.dev/qrdcxw52463f86302yh72-fe4367z

hxxps://helpsana[.]ro/wp-hash/1/index4[.]php

hxxps://tutu57tututut[.]000webhostapp[.]com/don[.]php

hxxps://1-d0asfasfjhasfa7979352jhasf.pages[.]dev/

hxxps://ancient-salad-4674.mmrctliacetgliue504[.]workers[.]dev/87c03eda-fdd4-4125-bf73-1b161178699a

sondakikatokathaberleri[.]name[.]tr/hash/demo/mailer.php

Some Samples of Scam or Fake News URLs with a Common Domain Format

hxxps://flexjobs-10.pages[.]dev/

hxxps://safe-cash90.pages[.]dev/

hxxps://safe-cash98.pages[.]dev/

hxxps://net-cash375.pages[.]dev/

hxxps://cashgraber173.pages[.]dev/

hxxps://cash-hub4.pages[.]dev/

hxxps://moneypro105.pages[.]dev/

References

https://en.wikipedia.org/wiki/.dev

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://get.dev/#get-started

https://developers.cloudflare.com/pages/

https://developers.cloudflare.com/workers/

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More