Cloudflare’s Pages and Workers platforms have experienced a surge of malicious activity in the past year, research from Fortra’s Suspicious Email Analysis (SEA) team has revealed.
Phishing incidents on Cloudflare Pages have surged nearly 200% over the past year, while abuse of Cloudflare Workers has increased by 104%.
These findings indicate that cybercriminals are increasingly exploiting Cloudflare’s popular web hosting services to facilitate phishing schemes, data exfiltration, and other malicious attacks.
Cloudflare Pages and Phishing Activity
Cloudflare Pages is a platform for developers to deploy static websites, supported by Cloudflare’s global content delivery network (CDN). It provides features such as free SSL/TLS encryption and custom domains.
Fortra’s report reveals that phishing attacks on Cloudflare Pages increased from 460 incidents in 2023 to 1,370 in 2024, averaging 137 monthly. If this trend continues, the SEA team projects a year-end total surpassing 1,600 incidents, representing a 257% increase.
Cloudflare Pages’ ease of setup, free hosting, and global Content Delivery Network (CDN) make it attractive to legitimate users and threat actors who deploy phishing sites that exploit the platform’s reputation and HTTPS encryption.
One of the most common tactics is using Cloudflare Pages to create phishing redirects. Fortra gives an example of attackers using trusted Cloudflare URLs in emails to direct victims to phishing pages. In some cases, the final destination is a phishing page mimicking the Microsoft Office 365 log-in page, where users are tricked into disclosing sensitive information.
Cloudflare Workers and Malicious Exploits
Cloudflare Workers is a serverless platform that allows developers to run JavaScript code at the edge of Cloudflare’s CDN to execute code on the client side, reduce latency, and improve web application performance.
Over the past year, cybercriminals have increasingly exploited this service to conduct attacks like Distributed Denial of Service (DDoS), phishing, and gain unauthorized access to data. From 2023 to 2024, incidents involving Cloudflare Workers rose from 2,447 to 4,999, with an expected year-end total close to 6,000, marking a 145% increase.
Response and Recommendations
Although Cloudflare has implemented various security mechanisms – including phishing detection and reporting systems – it’s clear that threat actors remain undeterred.
However, Fortra points out that the risk is in how cybercriminals are misusing the service and not in the technology itself. As such, it recommends that users exercise caution when interacting with unfamiliar websites by scrutinizing URLs, employing two-factor authentication (2FA) where possible, and reporting any suspicious activity to Cloudflare. Developers, meanwhile, should update dependencies, utilize HTTPS, and regularly monitor their sites for any unusual behavior.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
