Cloudflare is one of those wonders that make today’s Internet possible, a platform that allows websites to replicate themselves all over the world, and protects them from various threats, including the dreaded DDoS attacks.
It has enormous power, as it manages the data of thousands of major websites, and when it has a problem, the entire web notices it, since applications from all over the world depend on its structure to function properly.
Details of a phishing attack targeting its staff have now been made public, an attack that, if successful, could have been fatal to the company.
Cloudflare is safe
One of the reasons why it can be said that Cloudflare is one of the most secure companies in the web world is the fact that all employees must use multi-factor authentication, so that even if someone steals the login and password of access to any of the machines in your infrastructure, they will not be able to enter without having mobile phones, fingerprints, face recognition and other known multifactor methods (in this case they use a hardware key).
The attack received
Apparently there is a very sophisticated phishing campaign targeting several companies, and Cloudflare is one of them.
On July 20, more than 70 employees received an SMS on their phones (both personal and work) pointing to a supposed Okta login page from Cloudflare. The employees were suspicious, but had no idea how the criminals got their phone numbers. Most ignored the message, which claimed that “your Cloudflare schedule has been updated” and asked to click a link. The goal was to steal Cloudflare’s login and password, and three of the more than 70 fell for it.
Thanks to hardware key access security, criminals couldn’t do anything with that password, but it didn’t end there.
They had a second attack designed to get employees to download remote access software onto their computers, which would allow the attacker to control the computer remotely. In this case, no one fell for it, so no one installed the unauthorized software.
Once the attack was identified, Cloudflare blocked the domain of origin of the phishing, employees’ passwords were reset and active sessions were closed, just in case.
The domain used in the attack was set up less than an hour before the campaign started, so it wasn’t on any blacklists, so it’s important to be on the lookout for links from any unknown domains, and use tools that report the authority of a domain in case of any doubt.
No matter how much security there is in a company, the weak point will always be the human being. We are easy to fool, and a sophisticated attack can achieve impressive results, such as the well-known case of a supposed Microsoft support that gained the trust of the victim company for months before carrying out the attack.
