The CloudSEK Threat Research Team has identified a generic phishing page capable of impersonating various brands to steal user credentials. This phishing page, hosted on Cloudflare’s workers.dev, utilizes a generic login interface and can be customized to target specific organizations. Victims’ credentials are exfiltrated to a remote server after they log in. Affected: Cloudflare workers.dev, web3.storage
Keypoints :
- A generic phishing page can impersonate any brand using a standard login interface.
- The phishing page is hosted on Cloudflare’s workers.dev domain.
- Custom URLs can be created to target specific organizations by appending an employee’s email address.
- The phishing site uses screenshots of legitimate domains to deceive users.
- Stolen credentials are exfiltrated to a remote server controlled by the threat actor.
- The page’s DOM is obfuscated using JavaScript to evade detection.
- Phishing tactics include preventing users from viewing the page source.
- Similar phishing URLs have been identified using the same obfuscation techniques.
- Recommendations include employee education and phishing simulation programs.
MITRE Techniques :
- Phishing (T1566) – The phishing page impersonates legitimate brands to collect user credentials.
- Obfuscated Files or Information (T1027) – The use of obfuscated JavaScript to hide the page’s functionality.
- Exfiltration Over Command and Control Channel (T1041) – Credentials are exfiltrated to a remote server (hxxps://kagn[.]org/zebra/nmili-wabmall.php).
Indicator of Compromise :
- [url] workers-playground-broken-king-d18b.supermissions.workers.dev
- [url] hxxps://kagn[.]org/zebra/nmili-wabmall.php
- [file name] myscr939830.js
- [url] thum.io
- Check the article for all found IoCs.
Full Research: https://www.cloudsek.com/blog/unmasking-cyber-deception-the-rise-of-generic-phishing-pages-targeting-multiple-brands