Netskope nombrado Líder en el Cuadrante Mágico de Gartner® 2024™ para Security Service Edge. Obtenga el informe

cerrar
cerrar
  • Por qué Netskope chevron

    Cambiar la forma en que las redes y la seguridad trabajan juntas.

  • Nuestros clientes chevron

    Netskope atiende a más de 3.000 clientes en todo el mundo, entre ellos más de 25 de las 100 empresas de Fortune

  • Nuestros Partners chevron

    Nos asociamos con líderes en seguridad para ayudarlo a asegurar su viaje a la nube.

Aún más alto en ejecución.
Aún más lejos en visión.

Sepa por qué 2024 Gartner® Cuadrante Mágico™ nombró a Netskope Líder para Security Service Edge por tercer año consecutivo.

Obtenga el informe
Netskope Nombrado líder en el gráfico 2024 Gartner® Magic Quadrant™ for Security Service Edge para Menu
Ayudamos a nuestros clientes a estar preparados para cualquier situación

Ver nuestros clientes
Woman smiling with glasses looking out window
La estrategia de venta centrada en el partner de Netskope permite a nuestros canales maximizar su expansión y rentabilidad y, al mismo tiempo, transformar la seguridad de su empresa.

Más información sobre los socios de Netskope
Group of diverse young professionals smiling
Tu red del mañana

Planifique su camino hacia una red más rápida, más segura y más resistente diseñada para las aplicaciones y los usuarios a los que da soporte.

Obtenga el whitepaper
Tu red del mañana
Presentamos la Netskope One Plataforma

Netskope One es una Plataforma nativa en la nube que ofrece servicios convergentes de seguridad y redes para hacer posible su transformación SASE y de confianza cero.

Learn about Netskope One
Abstracto con iluminación azul
Adopte una arquitectura de borde de servicio de acceso seguro (SASE)

Netskope NewEdge es la nube privada de seguridad más grande y de mayor rendimiento del mundo y ofrece a los clientes una cobertura de servicio, un rendimiento y una resiliencia incomparables.

Más información sobre NewEdge
NewEdge
Netskope Cloud Exchange

Cloud Exchange (CE) de Netskope ofrece a sus clientes herramientas de integración eficaces para que saquen partido a su inversión en estrategias de seguridad.

Más información sobre Cloud Exchange
Vídeo de Netskope
  • Servicio de seguridad Productos Edge chevron

    Protéjase contra las amenazas avanzadas y en la nube y salvaguarde los datos en todos los vectores.

  • Borderless SD-WAN chevron

    Proporcione con confianza un acceso seguro y de alto rendimiento a cada usuario remoto, dispositivo, sitio y nube.

  • Secure Access Service Edge chevron

    Netskope One SASE proporciona una solución SASE nativa en la nube, totalmente convergente y de un único proveedor.

La plataforma del futuro es Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) y Private Access for ZTNA integrados de forma nativa en una única solución para ayudar a todas las empresas en su camino hacia el Servicio de acceso seguro Arquitectura perimetral (SASE).

Todos los productos
Vídeo de Netskope
Next Gen SASE Branch es híbrida: conectada, segura y automatizada

Netskope Next Gen SASE Branch converge Context-Aware SASE Fabric, Zero-Trust Hybrid Security y SkopeAI-Powered Cloud Orchestrator en una oferta de nube unificada, marcando el comienzo de una experiencia de sucursal completamente modernizada para la empresa sin fronteras.

Obtenga más información sobre Next Gen SASE Branch
Personas en la oficina de espacios abiertos.
Diseño de una arquitectura SASE para Dummies

Obtenga un ejemplar gratuito del único manual que necesitará sobre diseño de una arquitectura SASE.

Obtenga el eBook
Cambie a los servicios de seguridad en la nube líderes del mercado con una latencia mínima y una alta fiabilidad.

Más información sobre NewEdge
Lighted highway through mountainside switchbacks
Habilite de forma segura el uso de aplicaciones de IA generativa con control de acceso a aplicaciones, capacitación de usuarios en tiempo real y la mejor protección de datos de su clase.

Descubra cómo aseguramos el uso generativo de IA
Habilite de forma segura ChatGPT y IA generativa
Soluciones de confianza cero para implementaciones de SSE y SASE

Más información sobre Confianza Cero
Boat driving through open sea
Netskope logra la alta autorización FedRAMP

Elija Netskope GovCloud para acelerar la transformación de su agencia.

Más información sobre Netskope GovCloud
Netskope GovCloud
  • Recursos chevron

    Obtenga más información sobre cómo Netskope puede ayudarle a proteger su viaje hacia la nube.

  • Blog chevron

    Descubra cómo Netskope permite la transformación de la seguridad y las redes a través del borde de servicio de seguridad (SSE)

  • Eventos y Talleres chevron

    Manténgase a la vanguardia de las últimas tendencias de seguridad y conéctese con sus pares.

  • Seguridad definida chevron

    Todo lo que necesitas saber en nuestra enciclopedia de ciberseguridad.

Podcast Security Visionaries

La intersección de Zero Trust y la seguridad nacional
On the latest episode of Security Visionaries, co-hosts Max Havey and Emily Wearmouth sit down for a conversation with guest Chase Cunningham (AKA Dr. Zero Trust) about zero trust and national security.

Reproducir el pódcast
La intersección de Zero Trust y la seguridad nacional
Últimos blogs

Lea cómo Netskope puede hacer posible el viaje hacia la Confianza Cero y SASE a través de las capacidades del borde de servicio de seguridad (SSE).

Lea el blog
Sunrise and cloudy sky
SASE Week 2023: ¡Su viaje SASE comienza ahora!

Sesiones de repetición de la cuarta SASE Week.

Explorar sesiones
SASE Week 2023
¿Qué es SASE?

Infórmese sobre la futura convergencia de las herramientas de red y seguridad en el modelo de negocio actual de la nube.

Conozca el SASE
  • Empresa chevron

    Le ayudamos a mantenerse a la vanguardia de los desafíos de seguridad de la nube, los datos y la red.

  • Liderazgo chevron

    Nuestro equipo de liderazgo está firmemente comprometido a hacer todo lo necesario para que nuestros clientes tengan éxito.

  • Soluciones para clientes chevron

    Le apoyamos en cada paso del camino, garantizando su éxito con Netskope.

  • Formación y certificación chevron

    La formación de Netskope le ayudará a convertirse en un experto en seguridad en la nube.

Apoyar la sostenibilidad a través de la seguridad de los datos

Netskope se enorgullece de participar en Vision 2045: una iniciativa destinada a crear conciencia sobre el papel de la industria privada en la sostenibilidad.

Descubra más
Apoyando la sustentabilidad a través de la seguridad de los datos
Pensadores, constructores, soñadores, innovadores. Juntos, ofrecemos soluciones de seguridad en la nube de vanguardia para ayudar a nuestros clientes a proteger sus datos y usuarios.

Conozca a nuestro equipo
Group of hikers scaling a snowy mountain
El talentoso y experimentado equipo de servicios profesionales de Netskope proporciona un enfoque prescriptivo para su exitosa implementación.

Más información sobre servicios profesionales
Servicios profesionales de Netskope
Asegure su viaje de transformación digital y aproveche al máximo sus aplicaciones en la nube, web y privadas con la capacitación de Netskope.

Infórmese sobre Capacitaciones y Certificaciones
Group of young professionals working

Phishing con Cloudflare Workers: phishing transparente y contrabando de HTML

May 23 2024

Resumen

Netskope Threat Labs is tracking multiple phishing campaigns that abuse Cloudflare Workers. The campaigns are likely the work of different attackers since they use two very different techniques. One campaign (similar to the previously disclosed Azorult campaign) uses HTML smuggling, a detection evasion technique often used for downloading malware, to hide the phishing content from network inspection. The other uses a method called transparent phishing, where the attacker uses Cloudflare Workers to act as a reverse proxy server for a legitimate login page, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens.  

Netskope Threat Labs has been tracking an increasing number of Netskope users targeted by malicious content hosted in Cloudflare Workers throughout 2023 and into 2024. The number of targeted users appears to have leveled off so far in 2024, although the number of domains continues to increase. At the same time, the distinct number of applications hosting the malicious content continues to increase, indicating that attackers are constantly creating new apps to evade detections and takedowns. 

Over the past 30 days, phishing campaigns hosted on Cloudflare Workers have primarily targeted victims in Asia, North America, and Southern Europe, across multiple segments led by technology, financial services, and banking. The majority of the phishing pages Netskope Threat Labs has uncovered target Microsoft login credentials, with Gmail, Yahoo Mail, and cPanel Webmail among the other targets.

Abusing free cloud services to host malicious content, including malware and phishing pages, is a common practice among adversaries. Our most recent Threat Stats post highlights that no cloud apps are immune to such abuse and that abusive content hosted on the most popular apps tends to be most successful in reaching its victims.

Let’s take a closer look at these campaigns:  

Cloudflare Workers serving phishing sites

Cloudflare Workers is a serverless computing platform for application deployment, including serving HTML pages to visitors. Cloudflare Workers is available to free tier users and therefore abused by attackers who continuously abuse free cloud services. With a free tier account, attackers can create multiple Cloudflare Worker applications that can serve up to 100,000 access a day from their victims, using a free publicly accessible domain and a valid TLS certificate. Netskope Threat Labs has previously written about the abuse of other free services, including Cloudflare R2

Netskope Threat Labs first observed an increase in traffic to phishing pages hosted in Cloudflare Workers in Q2 2023 and spiking in Q4 2023. So far in 2024, the number of users targeted with malicious content hosted in Cloudflare Workers appears to have leveled off, but we are still seeing thousands of Netskope users attempting to access malicious content hosted in Cloudflare Workers each quarter.

At the same time, the number of distinct malicious applications that Netskope users are attempting to visit is growing. Each application has a distinct domain of the format https://{application-name}.workers.dev. The following graph shows the number of distinct domains to be steadily increasing throughout 2023 and into 2024 and has not yet leveled off.

Phishing pages smuggled through Cloudflare Workers

Several phishing campaigns hosted in Cloudflare Workers use HTML smuggling to deliver phishing pages to their victims. As described in our previous blog post, HTML smuggling is a defense evasion technique that attempts to bypass network controls by assembling the malicious payloads on the client side. In that post, the attacker saved the malicious payloads to the disk for the victim to execute. In this case, the malicious payloads are the phishing pages themselves, so the attacker simply reconstructs them and displays them in the browser. In both cases, the objective is to try to evade network-based defenses.

The attackers have embedded the actual phishing page as a blob inside a benign web page. The phishing page is initially encoded in base64 and then encoded multiple additional times to obfuscate the code and avoid static detection. To make the blob object accessible in the endpoint, they use the createObjectURL() method to create a blob URL. Then, they simulate a click on the blob URL using the click() method.

Transparent phishing hosted in Cloudflare Workers

Conventional phishing involves attackers crafting their own phishing pages that replicate legitimate login pages to trick their victims into providing their login credentials. However, the traditional approach now has some pitfalls. First, the attacker has to constantly keep their phishing page up-to-date to mimic the look and functionality of the legitimate website. Second, and more importantly, they need to overcome whatever multi-factor authentication is in place. 

These traditional phishing flaws are addressed by transparent phishing. Transparent phishing, or adversary-in-the-middle phishing, is a relatively new form of phishing where the attacker creates a server that acts as an intermediary between the authenticating service and the victim. When victims enter their login credentials and multi-factor authentication code, the transparent phishing servers will collect and forward them to the target application, successfully logging the victim into the app while collecting credentials, cookies, and tokens along the way. And, unlike traditional phishing which copies the login page, the transparent phishing page will show the exact content of the legitimate login page.

Netskope Threat Labs replicated some of the transparent phishing pages hosted in Cloudflare to better understand how they work and how to defend against them. The entire phishing page is created using a modified version of an open-source Cloudflare MITM toolkit. The attacker sets up a Cloudflare application using the “Hello World” Worker template that listens for fetch events using the addEventListener() method. Once the victim accesses the attacker’s login page, the attacker collects its web request metadata, including the HTTP request method, region, IP address, and headers, and uses it to send the request on behalf of the victim to the legitimate page.

The attacker’s application will also collect the legitimate site’s response to the victim’s request and display it to the victim. Prior to showing the response, the domain of the legitimate site will be replaced with the application’s domain.

The application will then collect the victim’s login credentials, which will subsequently be sent to the attacker either using Cloudflare webhook notification or through HTTP. Once the victim enters their credentials, they will be logged in to the legitimate website, and the attacker will collect the tokens and cookies in the response. Furthermore, the attacker will also have visibility into any additional activity the victim performs after login.

Conclusión

Cloudflare Workers is a platform that enables its users to execute serverless functions, including serving web pages to its visitors. Over the past year, Netskope Threat Labs has tracked an increase in traffic to phishing pages hosted on the service, including campaigns that use HTML smuggling to evade detection and other campaigns that use transparent, man-in-the-middle phishing pages to bypass MFA. Netskope Threat Labs will continue to monitor malicious traffic towards Cloudflare Worker applications and report phishing and other malicious content to Cloudflare to be taken down.

Recomendaciones

The scams and phishing pages described in the post are easily recognizable by the domain pattern *.workers.dev. Users can avoid becoming victims of the attacks described in this post by checking the URL. Users should always access important pages, such as their banking portal or webmail, by typing the URL directly into the web browser instead of using search engines or clicking any other links.

Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams:

  • Inspect all HTTP and HTTPS traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
  • Use  Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall in categories that can present higher risk, like Newly Observed and Newly Registered Domains.

IOCs

All the IOCs related to this campaign can be found in our GitHub repository.

author image
Jan Michael Alcantara
Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.

Stay informed!

Subscribe for the latest from the Netskope Blog