Phishing

From .com to .beauty: The evolving threat landscape of unwanted email

03/26/2024

In this 2023-early 2024 email analysis, we examine how certain generic Top-Level Domains (TLDs) are primarily used for spam and phishing, and their evolution over a year. There are many trends in email threats to examine...

João Tomé

From .com to .beauty: The evolving threat landscape of unwanted email

Defensive AI: Cloudflare’s framework for defending against next-gen threats

03/04/2024

Security Week AI Machine Learning Phishing Cloud Email Security API Security SASE

From identifying phishing attempts to protect applications and APIs, Cloudflare uses AI to improve the effectiveness of its security solutions to fight against new and more sophisticated attacks...

Safeguarding your brand identity: Logo Matching for Brand Protection

02/15/2024

Product News Brand Protection Brand Fraud Phishing Image Recognition Machine Learning Security

Brand Protection's Logo Matching feature enables users to upload an image of the user’s logo or other brand image. The system scans URLs to discover matching logos and then presents the results for users to review...

Alexandra Moraru

An August reading list about online security and 2023 attacks landscape

08/21/2023

Reading List Security Attacks DDoS Ransom Attacks Phishing Trends

Here is a reading list with 2023 trends, what you need to know about attacks, and a guide on how to stay protected using Cloudflare...

João Tomé

Introducing Cloudflare's 2023 phishing threats report

08/16/2023

Email Security Phishing Cloud Email Security

The 2023 Phishing Threats Report analyzes millions of malicious emails, brand impersonation examples, identity deception, and other key attack trends based on email security data from a 12-month period...

<astro-island uid="ZEPz9t" prefix="r5" component-url="/_astro/MorePosts.Jl4lw6pa.js" component-export="default" renderer-url="/_astro/client.18JKDFkt.js" props="{"locale":[0,"en-us"],"posts":[1,[[0,{"id":[0,"641197b74543a1000a7b36cb"],"uuid":[0,"6ed10162-d624-45a3-912b-916ae3a1da33"],"title":[0,"Analyze any URL safely using the Cloudflare Radar URL Scanner"],"slug":[0,"radar-url-scanner-early-access"],"html":[0,"<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/image1-29.png\" class=\"kg-image\" alt=\"Analyze any URL safely using the Cloudflare Radar URL Scanner\" loading=\"lazy\"></figure>One of the first steps in an <a href=\"https://www.cloudflare.com/learning/security/what-is-information-security/\">information security</a> investigation is to gather as much context as possible. But compiling that information can become a sprawling task.Cloudflare is excited to announce early access to a new, free tool — the <a href=\"http://radar.cloudflare.com/scan\">Radar URL Scanner</a>. Provide us a URL, and our scanner will compile a report containing a myriad of technical details: a phishing scan, SSL certificate data, HTTP request and response data, page performance data, DNS records, whether cookies are set to secure and HttpOnly, what technologies and libraries the page uses, and more.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/pasted-image-0-8.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>Let’s walk through a report on John Graham-Cumming’s blog as an example. Conveniently, all reports generated will be publicly accessible.The first page is the summary tab, and you’ll see we’ve broken all the available data into the following categories: Security, Cookies, Network, Technology, DOM, and Performance. It’s a lot of content so we will jump through some highlights.In the Summary tab itself, you’ll notice the submitted URL was <code>https://blog.jgc.org</code>. If we had received a URL short link, the scanner would have followed the redirects and generated a report for the final URL.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/pasted-image-0--1--4.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>The Security tab presents information to help determine whether a page is safe to visit with a phishing and certificates section. In our blog example, the report confirms the link we provided is not a phishing link, but there could easily be phishing scams trying to harvest personal information. We’re excited to enable wider access to our <a href=\"https://www.cloudflare.com/securitycenter/\">security infrastructure</a> with this free tool.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/pasted-image-0--2--2.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>The Cookies tab can indicate how privacy friendly a website is to its users. We show all the cookies set and their attribute values to do this. In this report, the blog loaded 2 cookies. There's the Secure flag. You’ll want that set to true as often as possible because this means the cookie may only be transmitted over HTTPS, preventing it from being observed by unauthorized parties. Additionally, cookies set to HttpOnly will be inaccessible to the JavaScript API, potentially mitigating <a href=\"https://www.cloudflare.com/learning/security/threats/cross-site-scripting/\">XSS</a> attacks from third-party scripts.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/pasted-image-0--3--2.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>The Technology tab enumerates the technologies, frameworks, libraries, etc that are used to power the page being scanned. Understanding the technology stack of a page can be very useful for when there are outages in a particular service, when exploits in popular libraries are discovered, or simply to understand what tools are most popular in the industry. John’s blog appears to use 7 different technologies including Google AdSense, Blogger, and Cloudflare.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/pasted-image-0--4--2.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>The Network tab shows all the HTTP transactions that occur on the page as well as the hostname’s associated DNS records. HTTP transactions are the requests and responses the page makes to load all its content. This tells engineers where the website is going to load its content. Our report of John’s blog shows a total of 82 requests.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/pasted-image-0--5--1.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>The tab also contains DNS records which are a great way to understand more about the fundamentals of the page. And of course, we at Cloudflare are big advocates for enabling <a href=\"https://www.cloudflare.com/dns/dnssec/how-dnssec-works/\">DNSSEC</a>.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/pasted-image-0--6--1.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>The DOM (Document Object Model) tab conveniently collates common information you may be looking for from within the page. We grouped together lists of all hyperlinks and global JavaScript variables. Additionally, we provide the raw HTML of the page for you to further analyze. Our report shows the blog’s landing page has 104 hyperlinks going off to other websites.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/pasted-image-0--7--3.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>The Performance tab presents a breakdown of the time it takes for the website to load. It’s not enough for a page to be secure for users. It must also be usable, and load speeds are a big factor in the overall experience. That’s why we’ve also included <a href=\"https://developer.mozilla.org/en-US/docs/Web/API/PerformanceNavigationTiming\">Performance Navigation Timing</a> metrics alongside our more security and privacy oriented tabs.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/pasted-image-0--8--1.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>Under the hood, one of the great things about this tool is that the underlying scanning technology uses Cloudflare’s homegrown <a href=\"http://blog.cloudflare.com/introducing-workers-browser-rendering-api/\">Workers Browser Rendering API</a> to run all our headless scans. You can follow that link to join the waitlist and try it out for yourself.In the future, we envision adding features to our scanner to complement the ones from this launch: <a href=\"https://developers.cloudflare.com/radar/\">API endpoints</a> so you don’t need to rely on a GUI, private scans for more sensitive or recurring reports, and also security recommendations with integrations with the <a href=\"https://www.cloudflare.com/securitycenter/\">Cloudflare Security Center</a>. And since this is a Radar product, not only can users expect the data generated to further enhance our security threat modeling, they can also look forward to us providing back insights and visualizations from the aggregate trends we observe.The Radar URL Scanner tool’s journey to helping make the Internet more transparent and secure has only just begun, but we’re excited for you all to try it out <a href=\"http://radar.cloudflare.com/scan\">here</a>. If you have any questions or would like to discuss enterprise level features on your wishlist, feel free to reach out via Twitter at <a href=\"https://twitter.com/CloudflareRadar\">@CloudflareRadar</a> or email us at <a href=\"mailto:radar@cloudflare.com\">radar@cloudflare.com</a>."],"comment_id":[0,"641197b74543a1000a7b36cb"],"feature_image":[0,"http://blog.cloudflare.com/content/images/2023/03/image1-28.png"],"featured":[0,false],"visibility":[0,"public"],"created_at":[0,"2023-03-15T10:02:31.000+00:00"],"updated_at":[0,"2024-01-09T23:39:37.000+00:00"],"published_at":[0,"2023-03-15T13:00:00.000+00:00"],"custom_excerpt":[0,"Try our URL Scanner. Cloudflare Radar’s newest free tool for an under-the-hood look at any webpage"],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"custom_template":[0,null],"canonical_url":[0,null],"authors":[1,[[0,{"id":[0,"628d60000a57f9000a8d11eb"],"name":[0,"Stanley Chiang"],"slug":[0,"stanley"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2022/05/image000001-copy.jpg"],"cover_image":[0,null],"bio":[0,null],"website":[0,null],"location":[0,null],"facebook":[0,null],"twitter":[0,"@stanleyxchiang"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/stanley/"]}]]],"tags":[1,[[0,{"id":[0,"6411ab864543a1000a7b37ca"],"name":[0,"#BLOG-1691"],"slug":[0,"hash-blog-1691"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"internal"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/404/"]}],[0,{"id":[0,"6057788c17ca5101ba6f1a7d"],"name":[0,"Security Week"],"slug":[0,"security-week"],"description":[0,null],"feature_image":[0,"http://blog.cloudflare.com/content/images/2024/03/image4-2.png"],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/security-week/"]}],[0,{"id":[0,"5f746602c9353501baf0c835"],"name":[0,"Cloudflare Radar"],"slug":[0,"cloudflare-radar"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/cloudflare-radar/"]}],[0,{"id":[0,"5d16450341acde0011a951e0"],"name":[0,"Phishing"],"slug":[0,"phishing"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/phishing/"]}]]],"primary_author":[0,{"id":[0,"628d60000a57f9000a8d11eb"],"name":[0,"Stanley Chiang"],"slug":[0,"stanley"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2022/05/image000001-copy.jpg"],"cover_image":[0,null],"bio":[0,null],"website":[0,null],"location":[0,null],"facebook":[0,null],"twitter":[0,"@stanleyxchiang"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/stanley/"]}],"primary_tag":[0,null],"url":[0,"http://blog.cloudflare.com/radar-url-scanner-early-access/"],"excerpt":[0,"Try our URL Scanner. Cloudflare Radar’s newest free tool for an under-the-hood look at any webpage"],"reading_time":[0,4],"access":[0,true],"comments":[0,false],"og_image":[0,"http://blog.cloudflare.com/content/images/2023/03/Analyze-any-URL-safely-using-the-Cloudflare-Radar-URL-Scanner-OG-1.png"],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,"http://blog.cloudflare.com/content/images/2023/03/Analyze-any-URL-safely-using-the-Cloudflare-Radar-URL-Scanner-OG.png"],"twitter_title":[0,null],"twitter_description":[0,null],"meta_title":[0,null],"meta_description":[0,"Try our URL Scanner. Cloudflare Radar’s newest free tool for an under-the-hood look at any webpage."],"email_subject":[0,null],"frontmatter":[0,null],"feature_image_alt":[0,null],"feature_image_caption":[0,null]}],[0,{"id":[0,"6410f7c34543a1000a7b3467"],"uuid":[0,"3110c568-d8f2-4203-9026-aad3c81dc422"],"title":[0,"How sophisticated scammers and phishers are preying on customers of Silicon Valley Bank"],"slug":[0,"how-sophisticated-scammers-and-phishers-are-preying-on-customers-of-silicon-valley-bank"],"html":[0,"This post is also available in <a href=\"http://blog.cloudflare.com/zh-cn/how-sophisticated-scammers-and-phishers-are-preying-on-customers-of-silicon-valley-bank-zh-cn/\">简体中文</a>, <a href=\"http://blog.cloudflare.com/zh-tw/how-sophisticated-scammers-and-phishers-are-preying-on-customers-of-silicon-valley-bank-zh-tw/\">繁體中文</a>, <a href=\"http://blog.cloudflare.com/ja-jp/how-sophisticated-scammers-and-phishers-are-preying-on-customers-of-silicon-valley-bank-ja-jp/\">日本語</a> and <a href=\"http://blog.cloudflare.com/ko-kr/how-sophisticated-scammers-and-phishers-are-preying-on-customers-of-silicon-valley-bank-ko-kr/\">한국어</a>.\n<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/SVB---Banking-Phishing.png\" class=\"kg-image\" alt=\"How sophisticated scammers and phishers are preying on customers of Silicon Valley Bank\" loading=\"lazy\"></figure>By now, the news about what happened at Silicon Valley Bank (SVB) leading up to its <a href=\"https://www.cnn.com/2023/03/11/business/svb-collapse-roundup-takeaways/index.html\">collapse</a> and takeover by the US Federal Government is well known. The rapid speed with which the collapse took place was surprising to many and the impact on organizations, both large and small, is expected to last a while. Unfortunately, where everyone sees a tragic situation, threat actors see opportunity. We have seen this time and again - in order to breach trust and trick unsuspecting victims, threat actors overwhelmingly use topical events as lures. These follow the news cycle or known high profile events (The Super Bowl, March Madness, Tax Day, Black Friday sales, COVID-19, and on and on), since there is a greater likelihood of users falling for messages referencing what’s top of mind at any given moment. The SVB news cycle makes for a similarly compelling topical event that threat actors can take advantage of; and it's crucial that organizations bolster their awareness campaigns and technical controls to help counter the eventual use of these tactics in upcoming attacks. It’s tragic that even as the FDIC is guaranteeing that SVB customers’ money is safe, bad actors are attempting to steal that very money!<h3 id=\"preemptive-action\">Preemptive action</h3>In anticipation of future phishing attacks taking advantage of the SVB brand, <a href=\"http://blog.cloudflare.com/introducing-cloudforce-one-threat-operations-and-threat-research/\">Cloudforce One</a> (Cloudflare’s threat operations and research team) significantly increased our brand monitoring focused on SVB’s digital presence starting March 10, 2023 and launched several additional detection modules to spot SVB-themed phishing campaigns. All of our customers taking advantage of our various <a href=\"https://www.cloudflare.com/zero-trust/solutions/email-security-services/\">phishing protection services</a> automatically get the benefit of these new models. Here’s an actual example of a real campaign involving SVB that’s happening since the bank was taken over by the FDIC.<h3 id=\"kyc-phish-docusign-themed-svb-campaign\">KYC phish - DocuSign-themed SVB campaign</h3>A frequent tactic used by threat actors is to mimic ongoing KYC (Know Your Customer) efforts that banks routinely perform to validate details about their clients. This is intended to protect financial institutions against fraud, money laundering and financial crime, amongst other things. On March 14, 2023, Cloudflare detected a large KYC phishing campaign leveraging the SVB brand in a DocuSign themed template. This campaign targeted Cloudflare and almost all industry verticals. Within the first few hours of the campaign, we detected 79 examples targeting different individuals in multiple organizations. Cloudflare is publishing one specific example of this campaign along with the tactics and observables seen to help customers be aware and vigilant of this activity. <h3 id=\"campaign-details\">Campaign Details</h3>The phishing attack shown below targeted Matthew Prince, Founder & CEO of Cloudflare on March 14, 2023. It included HTML code that contains an initial link and a complex redirect chain that is four-deep. The chain begins when the user clicks the ‘Review Documents’ link. It takes the user to a trackable analytic link run by Sizmek by Amazon Advertising Server bs[.]serving-sys[.]com. The link then further redirects the user to a Google Firebase Application hosted on the domain na2signing[.]web[.]app. The na2signing[.]web[.]app HTML subsequently redirects the user to a WordPress site which is running yet another redirector at eaglelodgealaska[.]com. After this final redirect, the user is sent to an attacker-controlled docusigning[.]kirklandellis[.]net website.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/Screenshot-2023-03-14-at-10.11.01.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>Campaign Timeline<pre><code>2023-03-14T12:05:28Z\t\tFirst Observed SVB DocuSign Campaign Launched\n2023-03-14T15:25:26Z\t\tLast Observed SVB DocuSign Campaign Launched</code></pre><h3 id=\"a-look-at-the-html-file-google-firebase-application-na2signing-web-app-\">A look at the HTML file Google Firebase application (na2signing[.]web[.]app)</h3>The included HTML file in the attack sends the user to a WordPress instance that has recursive redirection capability. As of this writing, we are not sure if this specific WordPress installation has been compromised or a plugin was installed to open this redirect location.<pre><code><html dir=\"ltr\" class=\"\" lang=\"en\"><head>\n <title>Sign in to your account</title>\n \n <script type=\"text/javascript\">\n window.onload = function() {\n function Redirect (url){\n window.location.href = url;\n }\n var urlParams = new URLSearchParams(window.location.href);\n var e = window.location.href;\n \n \n Redirect(\"https://eaglelodgealaska[.]com/wp-header.php?url=\"+e);\n }\n</script>\n\n</code></pre><h3 id=\"indicators-of-compromise\">Indicators of Compromise</h3><pre><code>na2signing[.]web[.]app\tMalicious Google Cloudbase Application.\neaglelodgealaska[.]com\tPossibly compromised Wordpress website or an open redirect.\n\n*[.]kirklandellis[.]net\t\tAttacker Controlled Application running on at least docusigning[.]kirklandellis[.]net.\n</code></pre><h3 id=\"recommendations\">Recommendations </h3><ol>\n<li>\nCloudflare Email Security customers can determine if they have received this campaign in their dashboard with the following search terms: \n<code>SH_6a73a08e46058f0ff78784f63927446d875e7e045ef46a3cb7fc00eb8840f6f0</code> \nCustomers can also track IOCs related to this campaign through our Threat Indicators API. Any updated IOCs will be continually pushed to the relevant API endpoints.\n</li>\n<li>\nEnsure that you have appropriate DMARC policy enforcement for inbound messages. Cloudflare recommends [p = quarantine] for any DMARC failures on incoming messages at a minimum. SVB’s DMARC records [<code>v=DMARC1; p=reject; pct=100</code>] explicitly state rejecting any messages that impersonate their brand and are not being sent from SVB’s list of designated and verified senders. Cloudflare Email Security customers will automatically get this enforcement based on SVB’s published DMARC records. For other domains, or to apply broader DMARC based policies on all inbound messages, Cloudflare recommends adhering to ‘Enhanced Sender Verification’ policies across all inbound emails within their <a href=\"https://developers.cloudflare.com/email-security/email-configuration/email-policies/\">Cloudflare Area 1 dashboard</a>.\n</li>\n<li>\nCloudflare Gateway customers are automatically protected against these malicious URLs and domains. Customers can check their logs for these specific IOCs to determine if their organization had any traffic to these sites.\n</li>\n<li>\nWork with your phishing awareness and training providers to deploy SVB-themed phishing simulations for your end users, if they haven’t done so already.\n</li>\n<li>\nEncourage your end users to be vigilant about any ACH (Automated Clearing House) or SWIFT (Society for Worldwide Interbank Financial Telecommunication) related messages. ACH & SWIFT are systems which financial institutions use for electronic funds transfers between entities. Given its large scale prevalence, ACH & SWIFT phish are frequent tactics leveraged by threat actors to redirect payments to themselves. While we haven’t seen any large scale ACH campaigns utilizing the SVB brand over the past few days, it doesn’t mean they are not being planned or are imminent. Here are a few example subject lines to be aware of, that we have seen in similar payment fraud campaigns:\n“We’ve changed our bank details” \n“Updated Bank Account Information” \n“YOUR URGENT ACTION IS NEEDED - \nImportant - Bank account details change” \n“Important - Bank account details change” \n“Financial Institution Change Notice”\n</li>\n<li>\nStay vigilant against look-alike or cousin domains that could pop up in your email and web traffic associated with SVB. Cloudflare customers have in-built new domain controls within their email & web traffic which would prevent <a href=\"https://www.cloudflare.com/learning/email-security/what-is-email-fraud/\">anomalous activity</a> coming from these new domains from getting through.\n</li>\n<li>\nEnsure any public facing web applications are always patched to the latest versions and run a modern Web Application Firewall service in front of your applications. The campaign mentioned above took advantage of WordPress, which is frequently used by threat actors for their phishing sites. If you’re using the Cloudflare WAF, you can be automatically protected from third party CVEs before you even know about them. Having an effective <a href=\"https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/\">WAF</a> is critical to preventing threat actors from taking over your public Web presence and using it as part of a phishing campaign, SVB-themed or otherwise.\n</li>\n</ol>\n<h3 id=\"staying-ahead\">Staying ahead</h3>Cloudforce One (Cloudflare’s threat operations team) proactively monitors emerging campaigns in their formative stages and publishes advisories and detection model updates to ensure our customers are protected. While this specific campaign is focused on SVB, the tactics seen are no different to other similar campaigns that our global network sees every day and automatically stops them before it impacts our customers. Having a blend of strong technical controls across multiple communication channels along with a trained and vigilant workforce that is aware of the dangers posed by digital communications is crucial to stopping these attacks from going through. Learn more about how Cloudflare can help in your own journey towards comprehensive phishing protection by using our <a href=\"https://www.cloudflare.com/zero-trust-hub/\">Zero Trust services</a> and reach out for a <a href=\"https://www.cloudflare.com/lp/emailsecurity/\">complimentary assessment today</a>."],"comment_id":[0,"6410f7c34543a1000a7b3467"],"feature_image":[0,"http://blog.cloudflare.com/content/images/2023/03/SVB---Banking-Phishing-1.png"],"featured":[0,false],"visibility":[0,"public"],"created_at":[0,"2023-03-14T22:40:03.000+00:00"],"updated_at":[0,"2024-03-27T15:38:08.000+00:00"],"published_at":[0,"2023-03-14T23:11:35.000+00:00"],"custom_excerpt":[0,"In order to breach trust and trick unsuspecting victims, threat actors overwhelmingly use topical events as lures. The news about what happened at Silicon Valley Bank is the latest event to watch out for and stay vigilant against opportunistic phishing campaigns using SVB as the lure"],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"custom_template":[0,null],"canonical_url":[0,null],"authors":[1,[[0,{"id":[0,"622f4079a06d57000b1befcc"],"name":[0,"Shalabh Mohan"],"slug":[0,"shalabh"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2022/03/Shalabh-Mohan.jpeg"],"cover_image":[0,null],"bio":[0,null],"website":[0,null],"location":[0,null],"facebook":[0,null],"twitter":[0,null],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/shalabh/"]}],[0,{"id":[0,"62b0b0783cc2c5000b0dfad2"],"name":[0,"Blake Darché"],"slug":[0,"blake"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2022/06/30DC176C-CDE6-4271-AD8C-CC27B2A9E730.jpeg"],"cover_image":[0,null],"bio":[0,"Head of Threat Intelligence @ Cloudflare. Former CSO/Co-Founder @ Area 1 Security. Former Incident Response @ CrowdStrike. Former Analyst @ National Security Agency."],"website":[0,null],"location":[0,null],"facebook":[0,null],"twitter":[0,"@blakedarche"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/blake/"]}]]],"tags":[1,[[0,{"id":[0,"6410fb644543a1000a7b34d5"],"name":[0,"#BLOG-1759"],"slug":[0,"hash-blog-1759"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"internal"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/404/"]}],[0,{"id":[0,"5f83fab708dda903f3414b2f"],"name":[0,"Cloudflare One"],"slug":[0,"cloudflare-one"],"description":[0,null],"feature_image":[0,"http://blog.cloudflare.com/content/images/2020/10/image2-5.png"],"visibility":[0,"public"],"meta_title":[0,"Cloudflare Blog: Cloudflare One"],"meta_description":[0,"Collection of Cloudflare blog posts tagged 'Cloudflare One'."],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/cloudflare-one/"]}],[0,{"id":[0,"5d16450341acde0011a951e0"],"name":[0,"Phishing"],"slug":[0,"phishing"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/phishing/"]}],[0,{"id":[0,"5d16450341acde0011a9515b"],"name":[0,"Malware"],"slug":[0,"malware"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/malware/"]}],[0,{"id":[0,"5d16450341acde0011a95265"],"name":[0,"Security"],"slug":[0,"security"],"description":[0,null],"feature_image":[0,"http://blog.cloudflare.com/content/images/2020/10/Security.png"],"visibility":[0,"public"],"meta_title":[0,"Cloudflare Blog: Security"],"meta_description":[0,"Collection of Cloudflare blog posts tagged 'Security'."],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/security/"]}],[0,{"id":[0,"62161aff1b8fa8000b5ddc9e"],"name":[0,"Email Security"],"slug":[0,"email-security"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/email-security/"]}]]],"primary_author":[0,{"id":[0,"622f4079a06d57000b1befcc"],"name":[0,"Shalabh Mohan"],"slug":[0,"shalabh"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2022/03/Shalabh-Mohan.jpeg"],"cover_image":[0,null],"bio":[0,null],"website":[0,null],"location":[0,null],"facebook":[0,null],"twitter":[0,null],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/shalabh/"]}],"primary_tag":[0,null],"url":[0,"http://blog.cloudflare.com/how-sophisticated-scammers-and-phishers-are-preying-on-customers-of-silicon-valley-bank/"],"excerpt":[0,"In order to breach trust and trick unsuspecting victims, threat actors overwhelmingly use topical events as lures. The news about what happened at Silicon Valley Bank is the latest event to watch out for and stay vigilant against opportunistic phishing campaigns using SVB as the lure"],"reading_time":[0,6],"access":[0,true],"comments":[0,false],"og_image":[0,"http://blog.cloudflare.com/content/images/2023/03/How-sophisticated-scammers-and-phishers-are-preying-on-customers-of-Silicon-Valley-Bank-OG-1.png"],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,"http://blog.cloudflare.com/content/images/2023/03/How-sophisticated-scammers-and-phishers-are-preying-on-customers-of-Silicon-Valley-Bank-OG.png"],"twitter_title":[0,null],"twitter_description":[0,null],"meta_title":[0,null],"meta_description":[0,"In order to breach trust and trick unsuspecting victims, threat actors overwhelmingly use topical events as lures. The news about what happened at Silicon Valley Bank is the latest event to watch out for and stay vigilant against opportunistic phishing campaigns using SVB as the lure"],"email_subject":[0,null],"frontmatter":[0,null],"feature_image_alt":[0,null],"feature_image_caption":[0,null]}],[0,{"id":[0,"640ee3ad806eee000a16ecb5"],"uuid":[0,"c96e6d1e-9f01-48a6-89b4-8d5fcb506521"],"title":[0,"Top 50 most impersonated brands in phishing attacks and new tools you can use to protect your employees from them"],"slug":[0,"50-most-impersonated-brands-protect-phishing"],"html":[0,"This post is also available in <a href=\"http://blog.cloudflare.com/zh-cn/50-most-impersonated-brands-protect-phishing-zh-cn/\">简体中文</a>, <a href=\"http://blog.cloudflare.com/ja-jp/50-most-impersonated-brands-protect-phishing-ja-jp/\">日本語</a>, <a href=\"http://blog.cloudflare.com/de-de/50-most-impersonated-brands-protect-phishing-de-de/\">Deutsch</a>, <a href=\"http://blog.cloudflare.com/fr-fr/50-most-impersonated-brands-protect-phishing-fr-fr/\">Français</a> and <a href=\"http://blog.cloudflare.com/es-es/50-most-impersonated-brands-protect-phishing-es-es/\">Español</a>.\n<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/image4-7.png\" class=\"kg-image\" alt=\"Top 50 most impersonated brands in phishing attacks and new tools you can use to protect your employees from them\" loading=\"lazy\"></figure>Someone in your organization may have just submitted an administrator username and password for an internal system to the wrong website. And just like that, an attacker is now able to exfiltrate sensitive data.How did it all happen? A well crafted email.Detecting, blocking, and mitigating the risks of phishing attacks is arguably one of the hardest challenges any security team is constantly facing.Starting today, we are opening beta access to our new brand and <a href=\"https://www.cloudflare.com/zero-trust/products/email-security/\">anti-phishing tools</a> directly from our Security Center dashboard, allowing you to catch and mitigate phishing campaigns targeting your organization even before they happen.<h2 id=\"the-challenge-of-phishing-attacks\">The challenge of phishing attacks</h2>Perhaps the most publicized threat vector over the past several months has been phishing attacks. These attacks are highly sophisticated, difficult to detect, becoming more frequent, and can have devastating consequences for businesses that fall victim to them.One of the biggest challenges in <a href=\"https://www.cloudflare.com/learning/email-security/how-to-prevent-phishing/\">preventing phishing attacks</a> is the sheer volume and the difficulty of distinguishing legitimate emails and websites from <a href=\"https://www.cloudflare.com/learning/email-security/what-is-email-fraud/\">fraudulent ones</a>. Even when users are vigilant, it can be hard to spot the subtle differences that attackers use to make their phishing emails and websites look convincing.For example, last July our Cloudflare One suite of products and use of physical security keys <a href=\"http://blog.cloudflare.com/2022-07-sms-phishing-attacks/\">thwarted the sophisticated “Oktapus” phishing attack targeting Cloudflare employees</a>. The attacker behind the “Oktapus” attack that successfully compromised <a href=\"https://www.theregister.com/2022/08/25/twilio_cloudflare_oktapus_phishing/\">more than one hundred companies</a>, registered the “cloudflare-okta.com” domain name just 40 minutes before sending it to our employees.At that time, we identified phishing domains with our <a href=\"https://www.cloudflare.com/products/registrar/custom-domain-protection/\">secure registrar product</a>—but there was a delay in receiving the list of newly registered domains for monitoring purposes. Today, by streaming newly observed domains resolved by our <a href=\"http://blog.cloudflare.com/announcing-1111/\">1.1.1.1 resolver</a> (and other resolvers), we are able to detect phishing domains almost immediately. This gives us the upper hand and allows us to block phishing attempts before they happen.We want to start giving our customers access to the same tools we use internally, to help you fight the ongoing challenge.<h2 id=\"new-brand-and-phishing-protection-tools-in-cloudflare-s-security-center\">New Brand and Phishing Protection tools in Cloudflare’s Security Center</h2>We’re expanding the phishing protections available to Cloudflare One customers by automatically identifying—and blocking—so-called “confusable” domains. Common misspellings (clodflare.com) and concatenation of services (cloudflare-okta.com) are often registered by attackers to trick unsuspecting victims into submitting private information such as passwords, and these new tools provide an additional layer of protection against such attempts.The new Brand and Phishing Protection tools can be found under the Cloudflare Security Center, and provide even <a href=\"https://developers.cloudflare.com/security-center/tasks/\">more controls</a> (e.g. custom strings to monitor, searchable list of historical domains, etc.) to our customers. Cloudflare One plans can have access, with the level of control, visibility, and automation based on their plan type.<figure class=\"kg-card kg-image-card kg-width-wide\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/image3-6.png\" class=\"kg-image\" alt=\"Our new brand protection interface\" loading=\"lazy\"></figure><h3 id=\"new-domain-brand-matching-and-alerting\">New domain brand matching and alerting</h3>At the heart of our new brand protection feature is our ability to detect hostnames created specifically for phishing legitimate brands. We start by monitoring the first use of a domain or subdomain by sifting through trillions of daily DNS queries made to 1.1.1.1, Cloudflare’s public DNS resolver, in order to compile a list of hostnames in the wild for the first time.Using this list, we perform <a href=\"https://en.wikipedia.org/wiki/Fuzzy_matching_(computer-assisted_translation)\">”fuzzy” matching</a>, a technique used to match two strings that are similar in meaning or spelling, against our users' saved patterns in real-time. We compare the strings and calculate a similarity score based on various factors (ie: phonetics, distance, substring matching). These saved patterns, which can be strings with <a href=\"https://en.wikipedia.org/wiki/Edit_distance\">edit distances</a>, enable our system to generate alerts whenever we detect a match with any of the domains in the list.While our users currently have to create and save these queries, we will introduce an automated matching system in the future. This system will simplify the process of detecting matches for our users, though custom strings will still be available for security teams tracking more complex patterns.<figure class=\"kg-card kg-image-card kg-width-wide\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/image2-6.png\" class=\"kg-image\" alt=\"Brand protection alerts\" loading=\"lazy\"></figure><h3 id=\"historical-searches\">Historical searches</h3>In addition to real-time monitoring, we offer historical searches (saved queries) and alerts for newly observed domains within the last 30 days. When a new pattern is created, we will display search results from the last 30 days to show any potential matches. This allows security teams to quickly assess the potential threat level of a new domain and take necessary actions.Furthermore, this search mechanism can also be used for ad hoc domain hunting, providing additional flexibility for security teams who may need to investigate specific domains or patterns.<h2 id=\"observations-in-the-wild-most-phished-brands\">Observations in the wild: most phished brands</h2>While building out these new Brand Protection tools, we wanted to test our capabilities against a broad set of commonly phished brands. To do so, we examined the frequency that domains containing phishing URLs were resolved against our 1.1.1.1 resolver. All domains that are used for shared services (like hosting sites Google, Amazon, GoDaddy) that could not be verified as a phishing attempt were removed from the data set.The top 50 brands we found, along with one of the most commonly used domains for phishing those brands can be found in the table below.<style type=\"text/css\">\n.tg {border-collapse:collapse;border-color:#ccc;border-spacing:0;}\n.tg td{background-color:#fff;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{background-color:#f0f0f0;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-1wig{font-weight:bold;text-align:left;vertical-align:top}\n.tg .tg-lqy6{text-align:right;vertical-align:top}\n.tg .tg-0lax{text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\" width=\"100%\">\n<thead>\n <tr>\n <th class=\"tg-1wig\">Rank</th>\n <th class=\"tg-1wig\">Brand</th>\n <th class=\"tg-1wig\">Sample domain used to phish brand[1]</th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-lqy6\">1</td>\n <td class=\"tg-0lax\">AT&T Inc.</td>\n <td class=\"tg-0lax\">att-rsshelp[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">2</td>\n <td class=\"tg-0lax\">PayPal</td>\n <td class=\"tg-0lax\">paypal-opladen[.]be</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">3</td>\n <td class=\"tg-0lax\">Microsoft</td>\n <td class=\"tg-0lax\">login[.]microsoftonline.ccisystems[.]us</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">4</td>\n <td class=\"tg-0lax\">DHL</td>\n <td class=\"tg-0lax\">dhlinfos[.]link</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">5</td>\n <td class=\"tg-0lax\">Meta</td>\n <td class=\"tg-0lax\">facebookztv[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">6</td>\n <td class=\"tg-0lax\">Internal Revenue Service</td>\n <td class=\"tg-0lax\">irs-contact-payments[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">7</td>\n <td class=\"tg-0lax\">Verizon</td>\n <td class=\"tg-0lax\">loginnnaolcccom[.]weebly[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">8</td>\n <td class=\"tg-0lax\">Mitsubishi UFJ NICOS Co., Ltd.</td>\n <td class=\"tg-0lax\">cufjaj[.]id</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">9</td>\n <td class=\"tg-0lax\">Adobe</td>\n <td class=\"tg-0lax\">adobe-pdf-sick-alley[.]surge[.]sh</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">10</td>\n <td class=\"tg-0lax\">Amazon</td>\n <td class=\"tg-0lax\">login-amazon-account[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">11</td>\n <td class=\"tg-0lax\">Apple</td>\n <td class=\"tg-0lax\">apple-grx-support-online[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">12</td>\n <td class=\"tg-0lax\">Wells Fargo & Company</td>\n <td class=\"tg-0lax\">connect-secure-wellsfargo-com.herokuapp[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">13</td>\n <td class=\"tg-0lax\">eBay, Inc.</td>\n <td class=\"tg-0lax\">www[.]ebay8[.]bar</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">14</td>\n <td class=\"tg-0lax\">Swiss Post</td>\n <td class=\"tg-0lax\">www[.]swiss-post-ch[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">15</td>\n <td class=\"tg-0lax\">Naver</td>\n <td class=\"tg-0lax\">uzzmuqwv[.]naveicoipa[.]tech</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">16</td>\n <td class=\"tg-0lax\">Instagram (Meta)</td>\n <td class=\"tg-0lax\">instagram-com-p[.]proxy.webtoppings[.]bar</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">17</td>\n <td class=\"tg-0lax\">WhatsApp (Meta)</td>\n <td class=\"tg-0lax\">joingrub-whatsapp-pistol90[.]duckdns[.]org</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">18</td>\n <td class=\"tg-0lax\">Rakuten</td>\n <td class=\"tg-0lax\">rakutentk[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">19</td>\n <td class=\"tg-0lax\">East Japan Railway Company</td>\n <td class=\"tg-0lax\">www[.]jreast[.]co[.]jp[.]card[.]servicelist[].bcens[.]net</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">20</td>\n <td class=\"tg-0lax\">American Express Company</td>\n <td class=\"tg-0lax\">www[.]webcome-aexp[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">21</td>\n <td class=\"tg-0lax\">KDDI</td>\n <td class=\"tg-0lax\">aupay[.]kddi-fshruyrt[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">22</td>\n <td class=\"tg-0lax\">Office365 (Microsoft)</td>\n <td class=\"tg-0lax\">office365loginonlinemicrosoft[.]weebly[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">23</td>\n <td class=\"tg-0lax\">Chase Bank</td>\n <td class=\"tg-0lax\">safemailschaseonlineserviceupgrade09[.]weebly[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">24</td>\n <td class=\"tg-0lax\">AEON</td>\n <td class=\"tg-0lax\">aeon-ver1fy[.]shop</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">25</td>\n <td class=\"tg-0lax\">Singtel Optus Pty Limited</td>\n <td class=\"tg-0lax\">myoptus[.]mobi</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">26</td>\n <td class=\"tg-0lax\">Coinbase Global, Inc.</td>\n <td class=\"tg-0lax\">supp0rt-coinbase[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">27</td>\n <td class=\"tg-0lax\">Banco Bradesco S.A.</td>\n <td class=\"tg-0lax\">portalbradesco-acesso[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">28</td>\n <td class=\"tg-0lax\">Caixa Econômica Federal</td>\n <td class=\"tg-0lax\">lnternetbanklng-caixa[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">29</td>\n <td class=\"tg-0lax\">JCB Co., Ltd.</td>\n <td class=\"tg-0lax\">www[.]jcb-co-jp[.]ascaceeccea[.]ioukrg[.]top</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">30</td>\n <td class=\"tg-0lax\">ING Group</td>\n <td class=\"tg-0lax\">ing-ingdirect-movil[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">31</td>\n <td class=\"tg-0lax\">HSBC Holdings plc</td>\n <td class=\"tg-0lax\">hsbc-bm-online[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">32</td>\n <td class=\"tg-0lax\">Netflix Inc</td>\n <td class=\"tg-0lax\">renew-netflix[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">33</td>\n <td class=\"tg-0lax\">Sumitomo Mitsui Banking Corporation</td>\n <td class=\"tg-0lax\">smbc[.]co[.]jp[.]xazee[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">34</td>\n <td class=\"tg-0lax\">Nubank</td>\n <td class=\"tg-0lax\">nuvip2[.]ru</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">35</td>\n <td class=\"tg-0lax\">Bank Millennium SA</td>\n <td class=\"tg-0lax\">www[.]bankmillenium-pl[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">36</td>\n <td class=\"tg-0lax\">National Police Agency Japan</td>\n <td class=\"tg-0lax\">sun[.]pollice[.]xyz</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">37</td>\n <td class=\"tg-0lax\">Allegro</td>\n <td class=\"tg-0lax\">powiadomienieallegro[.]net</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">38</td>\n <td class=\"tg-0lax\">InPost</td>\n <td class=\"tg-0lax\">www.inpost-polska-lox.order9512951[.]info</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">39</td>\n <td class=\"tg-0lax\">Correos</td>\n <td class=\"tg-0lax\">correosa[.]online</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">40</td>\n <td class=\"tg-0lax\">FedEx</td>\n <td class=\"tg-0lax\">fedexpress-couriers[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">41</td>\n <td class=\"tg-0lax\">LinkedIn (Microsoft)</td>\n <td class=\"tg-0lax\">linkkedin-2[.]weebly[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">42</td>\n <td class=\"tg-0lax\">United States Postal Service</td>\n <td class=\"tg-0lax\">uspstrack-7518276417-addressredelivery-itemnumber.netlify[.]app</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">43</td>\n <td class=\"tg-0lax\">Alphabet</td>\n <td class=\"tg-0lax\">www[.]googlecom[.]vn10000[.]cc</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">44</td>\n <td class=\"tg-0lax\">The Bank of America Corporation</td>\n <td class=\"tg-0lax\">baanofamericase8[.]hostfree[.]pw</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">45</td>\n <td class=\"tg-0lax\">Deutscher Paketdienst</td>\n <td class=\"tg-0lax\">dpd-info[.]net</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">46</td>\n <td class=\"tg-0lax\">Banco Itaú Unibanco S.A.</td>\n <td class=\"tg-0lax\">silly-itauu[.]netlify[.]app</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">47</td>\n <td class=\"tg-0lax\">Steam</td>\n <td class=\"tg-0lax\">gift-steam-discord[.]com</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">48</td>\n <td class=\"tg-0lax\">Swisscom AG</td>\n <td class=\"tg-0lax\">swiss-comch[.]duckdns[.]org</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">49</td>\n <td class=\"tg-0lax\">LexisNexis</td>\n <td class=\"tg-0lax\">mexce[.]live</td>\n </tr>\n <tr>\n <td class=\"tg-lqy6\">50</td>\n <td class=\"tg-0lax\">Orange S.A.</td>\n <td class=\"tg-0lax\">orange-france24[.]yolasite[.]com</td>\n </tr>\n</tbody>\n</table>[1] Phishing sites are typically served on a specific URL and not on the root, e.g., hxxp://example.com/login.html rather than hxxp://example.com/. Full URLs are not provided here.\n<h2 id=\"combining-threat-intelligence-capabilities-with-zero-trust-enforcement\">Combining threat intelligence capabilities with Zero Trust enforcement</h2>The new features become a lot more effective for customers using our <a href=\"https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/\">Zero Trust</a> product suite. You can in fact easily block any confusable domains found as soon as they are detected by creating Cloudflare Gateway or DNS policy rules. This immediately stops your users from resolving or browsing to potentially malicious sites thwarting attacks before they happen.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/image1-12.png\" class=\"kg-image\" alt=\"Example of a DNS policy rule to block confusable domains\" loading=\"lazy\"></figure><h2 id=\"future-enhancements\">Future enhancements</h2>The new features are just the start of our broader brand infringement and anti-phishing security portfolio.<h3 id=\"matching-against-ssl-tls-certificates\">Matching against SSL/TLS certificates</h3>In addition to matching against domains, we plan to also match against new SSL/TLS certificates logged to <a href=\"http://blog.cloudflare.com/introducing-certificate-transparency-and-nimbus/\">Nimbus, our Certificate Transparency log</a>. By analyzing CT logs, we can identify potentially fraudulent certificates that may be used in phishing attacks. This is helpful as certificates are typically created shortly after domain registration in an attempt to give the phishing site more legitimacy by supporting HTTPS.<h3 id=\"automatic-population-of-managed-lists\">Automatic population of managed lists</h3>While today customers can script updates to custom lists referenced in a Zero Trust blocking rule, as mentioned above, we plan to automatically add domains to dynamically updating lists. Additionally, we will automatically add matching domains to lists that can be used in Zero Trust rules, e.g. blocking from Gateway.<h3 id=\"changes-in-domain-ownership-and-other-metadata\">Changes in domain ownership and other metadata</h3>Lastly, we plan to provide the ability to monitor domains for changes in ownership or other metadata, such as registrant, name servers, or resolved IP addresses. This would enable customers to track changes in key information related to their domains and take appropriate action if necessary.<h2 id=\"getting-started\">Getting started</h2>If you’re an Enterprise customer, <a href=\"https://www.cloudflare.com/lp/brandprotection/\">sign up for Beta access</a> for Brand protection now to gain access to private scanning for your domains, save queries and set up alerts on matched domains."],"comment_id":[0,"640ee3ad806eee000a16ecb5"],"feature_image":[0,"http://blog.cloudflare.com/content/images/2023/03/image4-6.png"],"featured":[0,false],"visibility":[0,"public"],"created_at":[0,"2023-03-13T08:49:49.000+00:00"],"updated_at":[0,"2023-11-13T16:42:45.000+00:00"],"published_at":[0,"2023-03-13T13:05:00.000+00:00"],"custom_excerpt":[0,"We’re expanding the phishing protections available to Cloudflare One customers by automatically identifying—and blocking—so-called “confusable” domains."],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"custom_template":[0,null],"canonical_url":[0,null],"authors":[1,[[0,{"id":[0,"5fb2a9e5f6597501bc80cb16"],"name":[0,"Alexandra Moraru"],"slug":[0,"alexandra"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2024/01/AlexMoraruProfilePicture.png"],"cover_image":[0,null],"bio":[0,null],"website":[0,null],"location":[0,"London"],"facebook":[0,null],"twitter":[0,"@alexandramoraru"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/alexandra/"]}],[0,{"id":[0,"5d1644b141acde0011a94f5c"],"name":[0,"Patrick R. Donahue"],"slug":[0,"patrick"],"profile_image":[0,"https://blog-cloudflare-com-assets.storage.googleapis.com/2020/04/me0-1.png"],"cover_image":[0,"http://blog.cloudflare.com/content/images/2018/08/general@2x-108.png"],"bio":[0,null],"website":[0,"https://www.cloudflare.com"],"location":[0,"San Francisco, CA"],"facebook":[0,null],"twitter":[0,"@prdonahue"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/patrick/"]}]]],"tags":[1,[[0,{"id":[0,"640ee468806eee000a16ecbd"],"name":[0,"#BLOG-1701"],"slug":[0,"hash-blog-1701"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"internal"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/404/"]}],[0,{"id":[0,"6057788c17ca5101ba6f1a7d"],"name":[0,"Security Week"],"slug":[0,"security-week"],"description":[0,null],"feature_image":[0,"http://blog.cloudflare.com/content/images/2024/03/image4-2.png"],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/security-week/"]}],[0,{"id":[0,"5d16450341acde0011a951e0"],"name":[0,"Phishing"],"slug":[0,"phishing"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/phishing/"]}],[0,{"id":[0,"5d16450341acde0011a951ee"],"name":[0,"Product News"],"slug":[0,"product-news"],"description":[0,"Product News (EN)"],"feature_image":[0,"http://blog.cloudflare.com/content/images/2020/10/Product-News-1.png"],"visibility":[0,"public"],"meta_title":[0,"Cloudflare Blog: Product News"],"meta_description":[0,"Collection of Cloudflare blog posts tagged 'Product News'."],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/product-news/"]}]]],"primary_author":[0,{"id":[0,"5fb2a9e5f6597501bc80cb16"],"name":[0,"Alexandra Moraru"],"slug":[0,"alexandra"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2024/01/AlexMoraruProfilePicture.png"],"cover_image":[0,null],"bio":[0,null],"website":[0,null],"location":[0,"London"],"facebook":[0,null],"twitter":[0,"@alexandramoraru"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/alexandra/"]}],"primary_tag":[0,null],"url":[0,"http://blog.cloudflare.com/50-most-impersonated-brands-protect-phishing/"],"excerpt":[0,"We’re expanding the phishing protections available to Cloudflare One customers by automatically identifying—and blocking—so-called “confusable” domains."],"reading_time":[0,7],"access":[0,true],"comments":[0,false],"og_image":[0,"http://blog.cloudflare.com/content/images/2023/03/Top-50-Most-Impersonated-Brands-in-phishing-attacks-and-new-tools-you-can-use-to-protect-your-employees-from-them-OG-3.png"],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,"http://blog.cloudflare.com/content/images/2023/03/Top-50-Most-Impersonated-Brands-in-phishing-attacks-and-new-tools-you-can-use-to-protect-your-employees-from-them-OG-2.png"],"twitter_title":[0,null],"twitter_description":[0,null],"meta_title":[0,null],"meta_description":[0,"We’re expanding the phishing protections available to Cloudflare One customers by automatically identifying—and blocking—so-called “confusable” domains. Common misspellings (cloudfalre.com) and concatenation of services (cloudflare-okta.com) are often registered by attackers to trick unsuspecting victims into submitting private information such as passwords, and these new tools provide an additional layer of protection against such attempts."],"email_subject":[0,null],"frontmatter":[0,null],"feature_image_alt":[0,null],"feature_image_caption":[0,null]}],[0,{"id":[0,"640ef49b806eee000a16ed07"],"uuid":[0,"4b31023d-ab3e-433f-a7f2-8a584dd09aae"],"title":[0,"How to stay safe from phishing"],"slug":[0,"stay-safe-phishing-attacks"],"html":[0,"This post is also available in <a href=\"http://blog.cloudflare.com/zh-cn/stay-safe-phishing-attacks-zh-cn/\">简体中文</a>, <a href=\"http://blog.cloudflare.com/de-de/stay-safe-phishing-attacks-de-de/\">Deutsch</a>, <a href=\"http://blog.cloudflare.com/fr-fr/stay-safe-phishing-attacks-fr-fr/\">Français</a>, <a href=\"http://blog.cloudflare.com/es-es/stay-safe-phishing-attacks-es-es/\">Español</a> and <a href=\"http://blog.cloudflare.com/ja-jp/stay-safe-phishing-attacks-ja-jp/\">日本語</a>.\n<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/image3-8.png\" class=\"kg-image\" alt=\"How to stay safe from phishing (and avoid being the bait)\" loading=\"lazy\"></figure>As you wake up in the morning feeling sleepy and preoccupied, you receive an urgent email from a seemingly familiar source, and without much thought, you click on a link that you shouldn't have. Sometimes it’s that simple, and this more than <a href=\"https://en.wikipedia.org/wiki/Phishing\">30-year-old phishing</a> method means chaos breaks loose – whether it’s your personal bank account or social media, where an attacker also begins to trick your family and friends; or at your company, with what could mean systems and data being compromised, services being disrupted, and all other subsequent consequences. Following up on our “<a href=\"http://blog.cloudflare.com/50-most-impersonated-brands-protect-phishing\">Top 50 Most Impersonated Brands in phishing attacks</a>” post, here are some tips to catch these scams before you fall for them.We’re all human, and responding to or interacting with a malicious email remains the primary way to breach organizations. According to <a href=\"https://www.cisa.gov/stopransomware/general-information\">CISA</a>, 90% of cyber attacks begin with a phishing email, and losses from a similar type of phishing attack, known as business email compromise (BEC), are a <a href=\"https://www.ic3.gov/Media/Y2022/PSA220504\">$43 billion</a> problem facing organizations. One thing is for sure, phishing attacks are getting <a href=\"https://www.zdnet.com/article/phishing-attacks-are-getting-scarily-sophisticated-heres-what-to-watch-out-for/\">more sophisticated</a> every day thanks to emerging tools like <a href=\"https://www.cloudflare.com/learning/ai/what-is-artificial-intelligence/\">AI</a> chatbots and the expanded usage of various communication apps (Teams, Google Chat, Slack, LinkedIn, etc.).<h3 id=\"what-is-phishing-where-it-starts-the-hacker-s-foot-in-the-door-\">What is phishing? Where it starts (the hacker’s foot in the door)</h3>Seems simple, but it is always good to remind everyone in simple terms. <a href=\"https://www.cloudflare.com/learning/access-management/phishing-attack/\">Email phishing</a> is a deceptive technique where the attacker uses various types of bait, such as a convincing email or link, to trick victims into providing sensitive information or downloading malware. If the bait works — the attacker only needs it to work once — and the victim clicks on that link, the attacker now has a foot in the door to carry out further attacks with potentially devastating consequences. Anyone can be fooled by a general “phish” — but these attacks can also be focused on a single target, with specific information about the victim, called <a href=\"https://www.cloudflare.com/learning/access-management/spear-phishing/\">spear phishing</a>.Recent examples of phishing include <a href=\"https://www.zdnet.com/article/reddit-was-hit-with-a-phishing-attack-how-it-responded-is-a-lesson-for-everyone/\">Reddit</a> as a target, Twilio, and also Cloudflare in a similar attack around the same time — we explain here “<a href=\"http://blog.cloudflare.com/2022-07-sms-phishing-attacks/\">The mechanics of a sophisticated phishing scam and how we stopped it</a>” thanks to our own use of <a href=\"https://www.cloudflare.com/cloudflare-one/\">Cloudflare One products</a>. In some cases, a <a href=\"https://www.zdnet.com/article/lastpass-breach-hackers-put-malware-on-engineers-home-computer-to-steal-their-password/\">home computer</a> of an employee as a target can be the door opening for hackers in what is a few weeks later a major breach.Some alerts to bear in mind include the UK's<a href=\"https://www.ncsc.gov.uk/news/spear-phishing-campaigns-targets-of-interest\"> National Cyber Security Centre</a> (NCSC), that phishing attacks are targeting individuals and organizations in a range of sectors. The <a href=\"https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf\">White House</a> National Cybersecurity Strategy (<a href=\"http://blog.cloudflare.com/the-white-houses-national-cybersecurity-strategy-asks-the-private-sector-to-step-up-to-fight-cyber-attacks-cloudflare-is-ready/\">Cloudflare is ready</a> for that) also highlights those risks. <a href=\"https://www.politico.eu/article/germany-must-overhaul-its-national-security-strategy-interior-minister-says/\">Germany</a>, <a href=\"https://asia.nikkei.com/Politics/Japan-to-upgrade-cyber-defense-allowing-preemptive-measures\">Japan</a> or <a href=\"https://www.theregister.com/2022/12/11/asia_tech_news_roundup/\">Australia</a> are working on a similar approach.Without further ado, here are some tips to protect yourself from phishing attacks.<h3 id=\"tips-for-staying-safe-online-how-to-avoid-being-reeled-in-by-phishing-scams\">Tips for Staying Safe Online: How to Avoid Being Reeled in By Phishing Scams</h3><ul><li>Don’t click strategy. If you get an email from your bank or government agencies like the IRS, instead of clicking on a link in the email, go directly to the website itself.</li><li>Look out for misspellings or strange characters in the sender’s email address. Phishing attempts often rely on look-alike domains or ‘from’ emails to encourage clicks. Common tactics are extra or switched letters (microsogft[.]com), omissions (microsft[.]com) or characters that look alike (the letter o and 0, or micr0soft[.]com).</li></ul>Here's a classic brand impersonation phish, using Chase as the trusted lure:<figure class=\"kg-card kg-image-card kg-card-hascaption\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/image1-13.png\" class=\"kg-image\" alt loading=\"lazy\"><figcaption>The link in the text body appears to be a Chase domain, but when clicked, it actually opens a SendGrid URL (a known email delivery platform). It then redirects the user to a phishing site impersonating Chase.</figcaption></figure><ul><li>Think before clicking links to “unlock account” or “update payment details.” Technology services were one of the top industries to be used in phishing campaigns, due to the personal information that can be found in our email, online storage, and social media accounts. Hover over a link and confirm it’s a URL you’re familiar with before clicking.</li><li>Be wary of financial-related messages. Financial institutions are the most likely industry to be phished, so pause and assess any messages asking to accept or make a payment.</li><li>Look out for messages that create a sense of urgency. Emails or text messages that warn of a final chance to pick up a package, or last chance to confirm an account, are likely fake. The rise in online shopping during the pandemic has made retail and logistics/shipping companies a hot target for these types of phishing attempts. Both financial and package delivery scams typically use the SMS phishing attack, or smishing, and are related to the attacker’s use of SMS messages to lure the victims. Cloudflare was the target of this type of phishing a few <a href=\"http://blog.cloudflare.com/2022-07-sms-phishing-attacks/\">months ago</a> (it was stopped). Next, we show you an example of a text message from that thwarted attack:</li></ul><figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/image4-8.png\" class=\"kg-image\" alt loading=\"lazy\"></figure><ul><li>If things sound too good to be true, they probably are. Beware of \"limited time offers\" for free gifts, exclusive services, or great deals on trips to Hawaii or the Maldives. Phishing emails target our senses of satisfaction, pleasure, and excitement to compel us to make split second decisions without thinking things through. These types of tactics are lures for a user to click on a link or provide sensitive information. Pause, even if it's for a few seconds, and quickly look up the offer online to see if others have received similar offers.</li><li>Very important message from a very important… Phishing emails sometimes mimic high-ranking individuals, urging urgent action such as money transfers or credential sharing. Scrutinize emails with such requests, and verify their authenticity. Contact your manager if the sender is a CEO. For unfamiliar politicians, assess the request's feasibility before responding.</li><li>The message body is full of errors (but beware of AI tools). Poor grammar, spelling, and sentence structure may indicate that an email is not from a reputable source. That said, recent <a href=\"https://www.cloudflare.com/learning/ai/what-is-artificial-intelligence/\">AI</a> text tools have made it easier for hackers or bad actors to create convincing and error-free copies.</li><li><a href=\"https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/romance-scams\">Romance scam</a> emails. These are emails where scammers adopt a fake online identity to gain a victim's affection and trust. They may also send an email that appears to have been sent in error, prompting the recipient to respond and initiating a conversation with the fraudster. This <a href=\"https://www.cloudflare.com/learning/email-security/what-is-email-fraud/\">tactic</a> is used to lure victims.</li><li>Use a password manager. Password managers will verify if the domain name matches what you expect, and will warn you if you try to fill in your password on the wrong domain name.</li></ul>If you want to apply even greater scrutiny to a potential phishing email, you can check out our <a href=\"https://www.cloudflare.com/learning/email-security/how-to-identify-a-phishing-email/\">learning center</a> to understand what happens when an email does not pass standard authentication methods like SPF, DKIM, or DMARC.A few more Cloudflare related trends, besides the <a href=\"http://blog.cloudflare.com/50-most-impersonated-brands-protect-phishing\">Top 50 Most Impersonated Brands</a>, comes from <a href=\"https://www.cloudflare.com/products/zero-trust/email-security/\">Cloudflare Area 1</a>. In 2022, our services focused on email protection <a href=\"https://www.cloudflare.com/learning/email-security/how-to-prevent-phishing/\">identified</a> and kept 2.3 billion unwanted messages out of customer inboxes. On average, we blocked 6.3 million messages per day. That’s almost 44,000 every 10 minutes, which is the time it takes to read a blog post like this one.Typically, the type of email threats most used (looking at our Area 1 January 2023 data) are: identity deception, malicious links, brand impersonation, malicious attachments, scam, extortion, account compromise. And there’s also <a href=\"https://www.cloudflare.com/learning/email-security/what-is-vishing/\">voice phishing</a>.Voice phishing, also known as vishing, is another common threat and is related to the practice of tricking people into sharing sensitive information through telephone calls. Victims are led to believe they are talking to a trusted entity, such as the tax authority, their employer, or an airline they use. <a href=\"https://www.cloudflare.com/learning/email-security/what-is-vishing/\">Here</a>, you can learn more about protecting yourself or your company from voice phishing.Another type of attack is the <a href=\"https://en.wikipedia.org/wiki/Watering_hole_attack\">watering hole attack</a>, where hackers identify websites frequented by users within a targeted organization and then compromise those websites to distribute malware. Those are often times associated with <a href=\"https://www.ncsc.gov.uk/collection/supply-chain-security/watering-hole-attacks\">supply chain</a> exploitation.Next, we show a phishing email example that was received from a real vendor that got an email account hacked in what is called vendor invoice fraud:<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2023/03/image2-7.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>Last but not least in our list of examples, there’s also Calendar phishing, where a fraudster could potentially use a cloud email account to inject fake invites into target employee calendars. Those are detected and avoided with products in our <a href=\"http://blog.cloudflare.com/phishing-threat-indicators-in-zero-trust/\">Cloudflare Zero Trust</a> product.<h3 id=\"email-link-isolation-approach-a-safety-net-for-phishing-attacks\">Email Link Isolation approach: a safety net for phishing attacks</h3>As we wrote <a href=\"http://blog.cloudflare.com/area1-eli-ga/\">recently</a> for <a href=\"https://www.cloudflare.com/cio-week/updates/\">CIO Week</a>, there’s also a possible safety net, even if the best trained user mistakes a good link from a bad link. Leveraging the <a href=\"https://www.cloudflare.com/products/zero-trust/browser-isolation/\">Cloudflare Browser Isolation</a> service, <a href=\"http://blog.cloudflare.com/area1-eli-ga/\">Email Link Isolation</a> turns Cloudflare’s <a href=\"https://www.cloudflare.com/zero-trust/products/email-security/\">cloud email security</a> into the most comprehensive <a href=\"https://www.cloudflare.com/zero-trust/solutions/email-security-services/\">solution</a> when it comes to protecting against phishing attacks that go beyond just email. It rewrites and isolates links that could be exploited, keeps users vigilant by alerting them of the uncertainty around the website they’re about to visit, and protects against malware and vulnerabilities. Also, in true Cloudflare fashion, it’s a one-click deployment. Check the related <a href=\"http://blog.cloudflare.com/area1-eli-ga/\">blog post</a> to learn more.That said, not all malicious links come from emails. If you're concerned about malicious links that may come through Instant Messaging or other communication tools (Slack, iMessage, Facebook, Instagram, WhatsApp, etc), <a href=\"https://www.cloudflare.com/products/zero-trust/\">Zero Trust</a> and <a href=\"https://www.cloudflare.com/learning/access-management/what-is-browser-isolation/\">Remote Browser Isolation</a> are an effective way to go.Another way to protect yourself from phishing attacks is to use <a href=\"https://www.cloudflare.com/learning/access-management/what-is-two-factor-authentication/\">two-factor authentication</a> (2FA). It works as an extra layer of security for user accounts, making it more difficult for attackers to gain unauthorized access. By requiring a second factor, even if an attacker has your password, they still cannot access your account. While 2FA by a code generated by a mobile app or sent via SMS (also prone to SIM jacking attacks) is an option, those could also be asked for by phishing sites. The safest way to use 2FA is by using hardware security keys, which are tied to the genuine site. This is why Cloudflare has been keen to highlight that method, both <a href=\"http://blog.cloudflare.com/how-cloudflare-implemented-fido2-and-zero-trust/\">internally</a> and <a href=\"https://www.cloudflare.com/press-releases/2022/cloudflare-democratizes-hardware-security-keys/\">externally</a> or in our <a href=\"https://www.cloudflare.com/products/zero-trust/phishing-resistant-mfa/\">products</a>.<h3 id=\"conclusion-better-safe-than-sorry\">Conclusion: better safe than sorry</h3>As we saw, email is one of the most ubiquitous and also most exploited tools that businesses use every single day. Baiting users into clicking malicious links within an email has been a particularly long-standing tactic for the vast majority of bad actors, from the most sophisticated criminal organizations to the least experienced attackers. So, remember, when online:Be cautious. Be <a href=\"https://www.cloudflare.com/products/zero-trust/email-security/\">prepared</a>. Be safe.If you want to learn more about email security, you can visit our <a href=\"https://www.cloudflare.com/learning/email-security/what-is-email-security/\">Learning Center</a> or reach out for a complimentary phishing <a href=\"https://www.cloudflare.com/lp/emailsecurity/\">risk assessment</a> for your organization."],"comment_id":[0,"640ef49b806eee000a16ed07"],"feature_image":[0,"http://blog.cloudflare.com/content/images/2023/03/image3-7.png"],"featured":[0,false],"visibility":[0,"public"],"created_at":[0,"2023-03-13T10:02:03.000+00:00"],"updated_at":[0,"2024-03-27T15:39:28.000+00:00"],"published_at":[0,"2023-03-13T13:00:00.000+00:00"],"custom_excerpt":[0,"Phishing attacks come in all sorts of ways to fool people. Email is definitely the most common, but there are others. Following up on our \"Top 50 Most Impersonated Brands in Phishing Attacks\" post, here are some tips to help you catch these scams before you fall for them."],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"custom_template":[0,null],"canonical_url":[0,null],"authors":[1,[[0,{"id":[0,"614d9ee554b26702aab519e9"],"name":[0,"João Tomé"],"slug":[0,"joao-tome"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2022/08/V0x3WKfJ_400x400-1.jpeg"],"cover_image":[0,null],"bio":[0,"After working as a journalist for years covering tech, Internet, cinema, sports (soccer/football), cars and mobility (had a TV show about it), I'm now telling data and other stories at Cloudflare."],"website":[0,null],"location":[0,"Lisbon, Portugal"],"facebook":[0,null],"twitter":[0,"@emot"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/joao-tome/"]}]]],"tags":[1,[[0,{"id":[0,"640ef4d0806eee000a16ed0f"],"name":[0,"#BLOG-1754"],"slug":[0,"hash-blog-1754"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"internal"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/404/"]}],[0,{"id":[0,"6057788c17ca5101ba6f1a7d"],"name":[0,"Security Week"],"slug":[0,"security-week"],"description":[0,null],"feature_image":[0,"http://blog.cloudflare.com/content/images/2024/03/image4-2.png"],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/security-week/"]}],[0,{"id":[0,"5d16450341acde0011a951e0"],"name":[0,"Phishing"],"slug":[0,"phishing"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/phishing/"]}],[0,{"id":[0,"5d16450341acde0011a95265"],"name":[0,"Security"],"slug":[0,"security"],"description":[0,null],"feature_image":[0,"http://blog.cloudflare.com/content/images/2020/10/Security.png"],"visibility":[0,"public"],"meta_title":[0,"Cloudflare Blog: Security"],"meta_description":[0,"Collection of Cloudflare blog posts tagged 'Security'."],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/security/"]}],[0,{"id":[0,"62b0238e3cc2c5000b0df36c"],"name":[0,"Cloud Email Security"],"slug":[0,"cloud-email-security"],"description":[0,"formerly Area 1 or Cloudflare Area 1 content"],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/cloud-email-security/"]}]]],"primary_author":[0,{"id":[0,"614d9ee554b26702aab519e9"],"name":[0,"João Tomé"],"slug":[0,"joao-tome"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2022/08/V0x3WKfJ_400x400-1.jpeg"],"cover_image":[0,null],"bio":[0,"After working as a journalist for years covering tech, Internet, cinema, sports (soccer/football), cars and mobility (had a TV show about it), I'm now telling data and other stories at Cloudflare."],"website":[0,null],"location":[0,"Lisbon, Portugal"],"facebook":[0,null],"twitter":[0,"@emot"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/joao-tome/"]}],"primary_tag":[0,null],"url":[0,"http://blog.cloudflare.com/stay-safe-phishing-attacks/"],"excerpt":[0,"Phishing attacks come in all sorts of ways to fool people. Email is definitely the most common, but there are others. Following up on our \"Top 50 Most Impersonated Brands in Phishing Attacks\" post, here are some tips to help you catch these scams before you fall for them."],"reading_time":[0,7],"access":[0,true],"comments":[0,false],"og_image":[0,"http://blog.cloudflare.com/content/images/2023/03/How-to-stay-safe-from-phishing--and-avoid-being-the-bait--OG-3.png"],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,"http://blog.cloudflare.com/content/images/2023/03/How-to-stay-safe-from-phishing--and-avoid-being-the-bait--OG-2.png"],"twitter_title":[0,null],"twitter_description":[0,null],"meta_title":[0,null],"meta_description":[0,"Phishing attacks come in all sorts of ways to fool people. Email is definitely the most common, but there are others. Following up on our \"Top 50 Most Impersonated Brands in Phishing Attacks\" post, here are some tips to help you catch these scams before you fall for them."],"email_subject":[0,null],"frontmatter":[0,null],"feature_image_alt":[0,null],"feature_image_caption":[0,null]}],[0,{"id":[0,"62f34ecade861a000a8dee39"],"uuid":[0,"78439995-cd4e-4d9e-924e-2b3c044ec196"],"title":[0,"2022 attacks! An August reading list to go “Shields Up”"],"slug":[0,"2022-attacks-an-august-reading-list-to-go-shields-up"],"html":[0,"This post is also available in <a href=\"http://blog.cloudflare.com/zh-cn/2022-attacks-an-august-reading-list-to-go-shields-up-zh-cn/\">简体中文</a>, <a href=\"http://blog.cloudflare.com/ja-jp/2022-attacks-an-august-reading-list-to-go-shields-up-ja-jp/\">日本語</a>, <a href=\"http://blog.cloudflare.com/de-de/2022-attacks-an-august-reading-list-to-go-shields-up-de-de/\">Deutsch</a>, <a href=\"http://blog.cloudflare.com/fr-fr/2022-attacks-an-august-reading-list-to-go-shields-up-fr-fr/\">Français</a>, and <a href=\"http://blog.cloudflare.com/2022-attacks-an-august-reading-list-to-go-shields-up-es-es/\">Español</a>.\n<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2022/08/image4-2.png\" class=\"kg-image\" alt=\"2022 attacks! An August reading list to go “Shields Up”\" loading=\"lazy\"></figure>In 2022, <a href=\"https://www.cloudflare.com/learning/security/what-is-cyber-security/\">cybersecurity</a> is a must-have for those who don’t want to take chances on getting caught in a cyberattack with difficult to deal consequences. And with a war in Europe (<a href=\"http://blog.cloudflare.com/tag/ukraine/\">Ukraine</a>) still going on, cyberwar also doesn’t show signs of stopping in a time when there never were so many people online, 4.95 billion in early 2022, 62.5% of the world’s total population (<a href=\"https://datareportal.com/reports/digital-2022-global-overview-report\">estimates</a> say it grew around 4% during 2021 and <a href=\"https://datareportal.com/reports/digital-2021-global-overview-report\">7.3%</a> in 2020).Throughout the year we, at Cloudflare, have been making new announcements of products, solutions and initiatives that highlight the way we have been <a href=\"https://www.cloudflare.com/learning/ddos/how-to-prevent-ddos-attacks/\">preventing</a>, mitigating and constantly learning, over the years, with several thousands of small and big cyberattacks. Right now, we block an average of 124 billion cyber threats per day. The more we deal with attacks, the more we know how to stop them, and the easier it gets to find and deal with new threats — and for customers to forget we’re there, protecting them.In 2022, we have been onboarding many customers while they’re being attacked, something we know well from the past (<a href=\"https://www.cloudflare.com/case-studies/wikimedia-foundation/\">Wikimedia/Wikipedia</a> or <a href=\"https://www.cloudflare.com/case-studies/eurovision/\">Eurovision</a> are just two case-studies of <a href=\"https://www.cloudflare.com/case-studies\">many</a>, and last year there was a Fortune Global 500 company example we <a href=\"http://blog.cloudflare.com/ransom-ddos-attacks-target-a-fortune-global-500-company/\">wrote about</a>). Recently, we dealt and did a <a href=\"http://blog.cloudflare.com/2022-07-sms-phishing-attacks/\">rundown</a> about an SMS phishing attack.Providing services for <a href=\"https://w3techs.com/technologies/overview/proxy/all\">almost 20%</a> of websites online and to millions of Internet properties and customers using our global network in more than <a href=\"http://blog.cloudflare.com/new-cities-april-2022-edition/\">270 cities</a> (recently we arrived to <a href=\"http://blog.cloudflare.com/cloudflare-deployment-in-guam/\">Guam</a>) also plays a big role. For example, in Q1’22 Cloudflare blocked an average of 117 billion cyber threats each day (much more than in previous quarters).Now that August is here, and many in the Northern Hemisphere are enjoying the summer and vacations, let’s do a reading list that is also a sum up focused on cyberattacks that also gives, by itself, some 2022 guide on this more than ever relevant area.<h2 id=\"war-cyberwar-attacks-increasing\">War & Cyberwar: Attacks increasing</h2>But first, some context. There are all sorts of attacks, but they have been generally speaking increasing and just to give some of our data regarding <a href=\"http://blog.cloudflare.com/ddos-attack-trends-for-2022-q2/\">DDoS attacks in 2022 Q2</a>: application-layer attacks increased by 72% YoY (Year over Year) and network-layer DDoS attacks increased by 109% YoY.The US government gave “warnings” back in March, after the war in Ukraine started, to all in the country but also allies and partners to be aware of the need to “enhance cybersecurity”. The US Cybersecurity and Infrastructure Security Agency (CISA) created the <a href=\"https://www.cisa.gov/shields-up\">Shields Up</a> initiative, given how the “Russia’s invasion of Ukraine could impact organizations both within and beyond the region”. The <a href=\"http://blog.cloudflare.com/shields-up-free-cloudflare-services-to-improve-your-cyber-readiness/#:~:text=National%20Cyber%20Security%20Center\">UK</a> and <a href=\"https://www.meti.go.jp/press/2021/02/20220221003/20220221003.html\">Japan</a>, among others, also issued warnings.That said, here are the two first and more general about attacks reading list suggestions:Shields up: free Cloudflare services to improve your cyber readiness (<a href=\"http://blog.cloudflare.com/shields-up-free-cloudflare-services-to-improve-your-cyber-readiness/\">✍️</a>) After the war started and governments released warnings, we did this free Cloudflare services cyber readiness sum up <a href=\"http://blog.cloudflare.com/shields-up-free-cloudflare-services-to-improve-your-cyber-readiness/\">blog post</a>. If you’re a seasoned IT professional or a novice website operator, you can see a variety of services for websites, apps, or APIs, including DDoS mitigation and protection of teams or even personal devices (from phones to routers). If this resonates with you, this announcement of collaboration to simplify the adoption of Zero Trust for IT and security teams could also be useful: <a href=\"http://blog.cloudflare.com/cloudflare-crowdstrike-partnership/\">CrowdStrike’s endpoint security meets Cloudflare’s Zero Trust Services</a>.In Ukraine and beyond, what it takes to keep vulnerable groups online (<a href=\"http://blog.cloudflare.com/in-ukraine-and-beyond-what-it-takes-to-keep-vulnerable-groups-online/\">✍️</a>) This <a href=\"http://blog.cloudflare.com/in-ukraine-and-beyond-what-it-takes-to-keep-vulnerable-groups-online/\">blog post</a> is focused on the eighth anniversary of our <a href=\"https://www.cloudflare.com/galileo/\">Project Galileo</a>, that has been helping human-rights, journalism and non-profits public interest organizations or groups. We highlight the trends of the past year, including the dozens of organizations related to <a href=\"http://blog.cloudflare.com/tag/Ukraine\">Ukraine</a> that were onboarded (many while being attacked) since the war started. Between July 2021 and May 2022, we’ve blocked an average of nearly 57.9 million cyberattacks per day, an increase of nearly 10% over last year in a total of 18 billion attacks.In terms of attack methods to Galileo protected organizations, the largest fraction (28%) of mitigated requests were classified as “HTTP Anomaly”, with 20% of mitigated requests tagged as <a href=\"https://www.cloudflare.com/learning/security/threats/sql-injection/\">SQL injection or SQLi attempts</a> (to target databases) and nearly 13% as attempts to exploit specific <a href=\"https://www.cve.org/\">CVEs</a> (publicly disclosed cybersecurity vulnerabilities) — you can find more insights about those <a href=\"http://blog.cloudflare.com/tag/cve/\">here</a>, including the <a href=\"http://blog.cloudflare.com/waf-mitigations-spring4shell/\">Spring4Shell</a> vulnerability, the <a href=\"http://blog.cloudflare.com/tag/log4j/\">Log4j</a> or the <a href=\"http://blog.cloudflare.com/cloudflare-customers-are-protected-from-the-atlassian-confluence-cve-2022-26134/\">Atlassian</a> one.And now, without further ado, here’s the full reading list/attacks guide where we highlight some blog posts around four main topics:<h2 id=\"1-ddos-attacks-solutions\">1. DDoS attacks & solutions </h2><figure class=\"kg-card kg-image-card kg-card-hascaption\"><img src=\"http://blog.cloudflare.com/content/images/2022/08/image5-2.png\" class=\"kg-image\" alt loading=\"lazy\"><figcaption>The most powerful botnet to date, <a href=\"http://blog.cloudflare.com/mantis-botnet/\">Mantis</a>.</figcaption></figure>Cloudflare mitigates 26 million request per second DDoS attack (<a href=\"http://blog.cloudflare.com/26m-rps-ddos/\">✍️</a>) <a href=\"https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/\">Distributed Denial of Service (DDoS)</a> are the bread and butter of <a href=\"https://portswigger.net/daily-swig/nation-state-threat-how-ddos-over-tcp-technique-could-amplify-attacks\">state-based</a> attacks, and we’ve been <a href=\"http://blog.cloudflare.com/deep-dive-cloudflare-autonomous-edge-ddos-protection/\">automatically</a> detecting and mitigating them. Regardless of which country initiates them, bots are all around the world and <a href=\"http://blog.cloudflare.com/26m-rps-ddos/\">in this blog post</a> you can see a specific example on how big those attacks can be (in this case the attack targeted a customer website using Cloudflare’s Free plan). We’ve named this most powerful botnet to date, <a href=\"http://blog.cloudflare.com/mantis-botnet/\">Mantis</a>.That said, we also explain that although most of the attacks are small, e.g. cyber vandalism, even small attacks can severely impact unprotected Internet properties.DDoS attack trends for 2022 Q2 (<a href=\"http://blog.cloudflare.com/ddos-attack-trends-for-2022-q2/\">✍️</a>) We already mentioned how application (72%) and network-layer (109%) attacks have been growing year over year — in the latter, attacks of 100 Gbps and larger increased by 8% QoQ, and attacks lasting more than 3 hours increased by 12% QoQ. <a href=\"http://blog.cloudflare.com/ddos-attack-trends-for-2022-q2/\">Here</a> you can also find interesting trends, like how Broadcast Media companies in Ukraine were the most targeted in Q2 2022 by DDoS attacks. In fact, all the top five most attacked industries are all in online/Internet media, publishing, and broadcasting.Cloudflare customers on Free plans can now also get real-time DDoS alerts<a href=\"http://blog.cloudflare.com/free-ddos-alerts/\"> </a>(<a href=\"http://blog.cloudflare.com/free-ddos-alerts/\">✍️</a>) A DDoS is cyber-attack that attempts to disrupt your online business and can be used in any type of Internet property, server, or network (whether it relies on <a href=\"http://blog.cloudflare.com/attacks-on-voip-providers/\">VoIP</a> servers, UDP-based gaming servers, or HTTP servers). That said, our <a href=\"https://www.cloudflare.com/plans/free/\">Free plan</a> can now get real-time alerts about HTTP DDoS attacks that were automatically detected and mitigated by us.One of the benefits of Cloudflare is that all of our services and features can work together to protect your website and also improve its performance. Here’s our specialist, <a href=\"http://blog.cloudflare.com/author/omer/\">Omer Yoachimik</a>, top 3 tips to leverage a <a href=\"https://www.cloudflare.com/plans/free/\">Cloudflare free account</a> (and put your settings more efficient to deal with DDoS attacks):<ol>\n<li>\nPut Cloudflare in front of your website:\n<ul>\n<li><a href=\"https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/\">Onboard your website to Cloudflare</a> and ensure all of your HTTP traffic routes through Cloudflare. Lock down your origin server, so it only accepts traffic from <a href=\"https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/\">Cloudflare IPs</a>.</li>\n</ul>\n</li>\n<li>\nLeverage Cloudflare’s free security features\n<ul>\n<li>DDoS Protection: it’s enabled by default, and if needed you can also <a href=\"https://developers.cloudflare.com/ddos-protection/managed-rulesets/adjust-rules/false-negative/#incomplete-mitigations\">override the action to Block</a> for rules that have a different default value.</li>\n<li>Security Level: this feature will automatically issue challenges to requests that originate from IP addresses with low IP reputation. Ensure it's <a href=\"https://support.cloudflare.com/hc/en-us/articles/200170056-Understanding-the-Cloudflare-Security-Level\">set to Medium</a> at least.</li>\n<li>Block bad bots - Cloudflare’s free tier of <a href=\"https://developers.cloudflare.com/bots/plans/free/\">bot protection</a> can help ward off simple bots (from cloud ASNs) and headless browsers by issuing a computationally expensive challenge.</li>\n<li>Firewall rules: you can create up to five free <a href=\"https://developers.cloudflare.com/firewall/\">custom firewall rules</a> to block or challenge traffic that you never want to receive.</li>\n<li>Managed Ruleset: in addition to your custom rule, enable Cloudflare’s <a href=\"https://developers.cloudflare.com/waf/managed-rulesets/\">Free Managed Ruleset</a> to protect against high and wide impacting vulnerabilities</li>\n</ul>\n</li>\n<li>\nMove your content to the cloud\n<ul>\n<li><a href=\"https://developers.cloudflare.com/cache/\">Cache</a> as much of your content as possible on the Cloudflare network. The fewer requests that hit your origin, the better — including unwanted traffic.</li>\n</ul>\n</li>\n</ol>\n<h2 id=\"2-application-level-attacks-waf\">2. Application level attacks & WAF</h2>Application security: Cloudflare’s view (<a href=\"http://blog.cloudflare.com/application-security/\">✍️</a>) Did you know that around 8% of all Cloudflare HTTP traffic is mitigated? That is something we explain in this application's general trends March 2022 <a href=\"http://blog.cloudflare.com/application-security/\">blog post</a>. That means that overall, ~2.5 million requests per second are mitigated by our global network and never reach our caches or the origin servers, ensuring our customers’ bandwidth and compute power is only used for clean traffic.You can also have a sense here of what the top mitigated traffic sources are — Layer 7 DDoS and Custom WAF (<a href=\"https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/\">Web Application Firewall</a>) rules are at the top — and what are the most common attacks. Other highlights include that at that time 38% of HTTP traffic we see is automated (right the number is actually lower, 31% — current trends can be seen on <a href=\"https://radar.cloudflare.com/\">Radar</a>), and the already mentioned (about Galileo) SQLi is the most common attack vector on API endpoints.WAF for everyone: protecting the web from high severity vulnerabilities (<a href=\"http://blog.cloudflare.com/waf-for-everyone/\">✍️</a>) This <a href=\"http://blog.cloudflare.com/waf-for-everyone/\">blog post</a> shares a relevant announcement that goes hand in hand with Cloudflare mission of \"help build a better Internet\" and that also includes giving some level of protection even without costs (something that also help us be better in preventing and mitigating attacks). So, since March we are providing a Cloudflare WAF Managed Ruleset that is running by default on all FREE zones, free of charge. On this topic, there has also been a growing client side security number of threats that concerns CIOs and security professionals that we mention when we gave, in December, all paid plans access to <a href=\"http://blog.cloudflare.com/page-shield-generally-available/\">Page Shield features</a> (last <a href=\"http://blog.cloudflare.com/making-page-shield-malicious-code-alerts-more-actionable/\">month</a> we made Page Shield malicious code alerts more actionable. Another example is how we detect <a href=\"http://blog.cloudflare.com/detecting-magecart-style-attacks-for-pageshield/\">Magecart-Style attacks</a> that have impacted large organizations like <a href=\"https://www.bbc.co.uk/news/technology-54568784\">British Airways</a> and <a href=\"https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/11/ico-fines-ticketmaster-uk-limited-125million-for-failing-to-protect-customers-payment-details/\">Ticketmaster</a>, resulting in substantial GDPR fines in both cases.<h2 id=\"3-phishing-area-1-\">3. Phishing (Area 1) </h2>Why we are acquiring Area 1 (<a href=\"http://blog.cloudflare.com/why-we-are-acquiring-area-1/\">✍️</a>) Phishing remains the primary way to breach organizations. According to <a href=\"https://www.cisa.gov/stopransomware/general-information\">CISA</a>, 90% of cyber attacks begin with it. And, in a recent report, the <a href=\"https://www.ic3.gov/Media/Y2022/PSA220504\">FBI</a> referred to Business Email Compromise as the $43 Billion problem facing organizations.It was in late February that it was announced that Cloudflare had agreed to acquire Area 1 Security to help organizations combat <a href=\"https://www.cloudflare.com/learning/email-security/what-is-email-fraud/\">advanced email attacks and phishing campaigns</a>. Our <a href=\"http://blog.cloudflare.com/why-we-are-acquiring-area-1/\">blog post</a> explains that “Area 1’s team has built exceptional cloud-native technology to protect businesses from email-based security threats”. So, all that technology and expertise has been integrated since then with our global network to give customers the most complete Zero Trust security platform available. The mechanics of a sophisticated phishing scam and how we stopped it (<a href=\"http://blog.cloudflare.com/2022-07-sms-phishing-attacks/\">✍️</a>) What’s in a message? Possibly a sophisticated attack targeting employees and systems. On August 8, 2022, Twilio shared that they’d been compromised by a targeted SMS phishing attack. We saw an attack with very similar characteristics also targeting Cloudflare’s employees. <a href=\"http://blog.cloudflare.com/2022-07-sms-phishing-attacks/\">Here</a>, we do a rundown on how we were able to thwart the attack that could have breached most organizations, by using our Cloudflare One products, and physical security keys. And how others can do the same. No Cloudflare systems were compromised.Our <a href=\"http://blog.cloudflare.com/introducing-cloudforce-one-threat-operations-and-threat-research/\">Cloudforce One</a> threat intelligence team dissected the attack and assisted in tracking down the attacker.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2022/08/image3-6.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>Introducing browser isolation for email links to stop modern phishing threats (<a href=\"http://blog.cloudflare.com/email-link-isolation/\">✍️</a>) Why do humans <a href=\"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7005690/\">still click</a> on malicious links? It seems that it’s easier to do it than most people think (“human error is human”). <a href=\"http://blog.cloudflare.com/email-link-isolation/\">Here</a> we explain how an organization nowadays can't truly have a <a href=\"https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/\">Zero Trust security posture</a> without securing email; an application that end users implicitly trust and threat actors take advantage of that inherent trust.As part of our journey to integrate Area 1 into our broader Zero Trust suite, Cloudflare Gateway customers can enable <a href=\"https://www.cloudflare.com/learning/access-management/what-is-browser-isolation/\">Remote Browser Isolation</a> for email links. With that, we now give unmatched level of protection from modern multi-channel email-based attacks. While we’re at it, you can also learn <a href=\"http://blog.cloudflare.com/replace-your-email-gateway-with-area-1/\">how to replace your email gateway with Cloudflare Area 1</a>.About <a href=\"http://blog.cloudflare.com/account-compromise-security-overview/\">account takeovers</a>, we explained back in March 2021 how we prevent account takeovers on our own applications (on the phishing side we were already using, as a customer, at the time, Area 1).Also from last year, <a href=\"http://blog.cloudflare.com/research-directions-in-password-security/\">here’s</a> our research in password security (and the problem of password reuse) — it gets technical. There’s a new password related protocol called OPAQUE (<a href=\"https://opaque-full.research.cloudflare.com/\">we added a new demo about it on January 2022</a>) that could help better store secrets that our research team is excited about.<h2 id=\"4-malware-ransomware-other-risks\">4. Malware/Ransomware & other risks</h2>How Cloudflare Security does Zero Trust (<a href=\"http://blog.cloudflare.com/how-cloudflare-security-does-zero-trust/\">✍️</a>) Security is more than ever part of an ecosystem that the more robust, the more efficient in avoiding or mitigating attacks. In this <a href=\"http://blog.cloudflare.com/how-cloudflare-security-does-zero-trust/\">blog post</a> written for our <a href=\"https://www.cloudflare.com/cloudflare-one-week/\">Cloudflare One week</a>, we explain how that ecosystem, in this case inside our Zero Trust services, can give protection from malware, ransomware, phishing, command & control, shadow IT, and other Internet risks over all ports and protocols.Since 2020, we launched <a href=\"http://blog.cloudflare.com/announcing-antivirus-in-cloudflare-gateway/\">Cloudflare Gateway</a> focused on malware detection and prevention directly from the Cloudflare edge. Recently, we also include our new <a href=\"https://www.cloudflare.com/products/zero-trust/casb/\">CASB</a> product (to secure workplace tools, personalize access, secure sensitive data).<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2022/08/image1-14.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>Anatomy of a Targeted Ransomware Attack (<a href=\"http://blog.cloudflare.com/targeted-ransomware-attack/\">✍️</a>) What a ransomware attack looks like for the victim:<blockquote>“Imagine your most critical systems suddenly stop operating. And then someone demands a ransom to get your systems working again. Or someone launches a DDoS against you and demands a ransom to make it stop. That’s the world of ransomware and ransom DDoS.”</blockquote>Ransomware attacks continue <a href=\"https://www.kroll.com/en/insights/publications/cyber/ransomware-attack-trends-2020\">to be on the rise</a> and there’s no sign of them slowing down in the near future. That was true more than a year ago, when this <a href=\"http://blog.cloudflare.com/targeted-ransomware-attack/\">blog post</a> was written and is still <a href=\"https://www.fitchratings.com/research/corporate-finance/ransomware-growing-cyber-risk-for-us-corporates-financials-govt-27-04-2022\">ongoing</a>, up 105% YoY according to a Senate Committee March 2022 report. And the nature of ransomware attacks is changing. Here, we highlight how <a href=\"https://www.cloudflare.com/learning/ddos/ransom-ddos-attack/\">Ransom DDoS (RDDoS)</a> attacks work, how Cloudflare onboarded and <a href=\"http://blog.cloudflare.com/ransom-ddos-attacks-target-a-fortune-global-500-company/\">protected</a> a Fortune 500 customer from a targeted one, and how that <a href=\"http://blog.cloudflare.com/announcing-antivirus-in-cloudflare-gateway/\">Gateway with antivirus</a> we mentioned before helps with just that.We also show that with ransomware as a service (<a href=\"https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/\">RaaS</a>) models, it’s even easier for inexperienced threat actors to get their hands on them today (“RaaS is essentially a franchise that allows criminals to rent ransomware from malware authors”). We also include some general recommendations to help you and your organization stay secure. Don’t want to click the link? Here they are:<ul><li>Use 2FA everywhere, especially on your remote access entry points. This is where Cloudflare Access really helps.</li><li>Maintain multiple redundant backups of critical systems and data, both onsite and offsite</li><li>Monitor and block malicious domains using Cloudflare Gateway + AV</li><li>Sandbox web browsing activity using Cloudflare RBI to isolate threats at the browser</li></ul><figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2022/08/image2-7.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>Investigating threats using the Cloudflare Security Center (<a href=\"http://blog.cloudflare.com/security-center-investigate/\">✍️</a>) <a href=\"http://blog.cloudflare.com/security-center-investigate/\">Here</a>, first we announce our new threat investigations portal, Investigate, right in the Cloudflare Security Center, that allows all customers to query directly our intelligence to streamline security workflows and tighten feedback loops.That’s only possible because we have a global and in-depth view, given that we <a href=\"https://www.cloudflare.com/products/zero-trust/threat-defense/\">protect millions of Internet properties from attacks</a> (the free plans help us to have that insight). And the data we glean from these attacks trains our machine learning models and improves the efficacy of our network and <a href=\"https://www.cloudflare.com/application-services/solutions/\">application security products</a>.Steps we've taken around Cloudflare's services in Ukraine, Belarus, and Russia (<a href=\"http://blog.cloudflare.com/steps-taken-around-cloudflares-services-in-ukraine-belarus-and-russia/\">✍️</a>) There’s an emergence of the known as <a href=\"https://en.wikipedia.org/wiki/Wiper_(malware)\">wiper</a> malware attacks (intended to erase the computer it infects) and in this <a href=\"http://blog.cloudflare.com/steps-taken-around-cloudflares-services-in-ukraine-belarus-and-russia/\">blog post</a>, among other things, we explain how when a wiper malware was identified in Ukraine (it took offline government agencies and a major bank), we successfully adapted our Zero Trust products to make sure our customers were protected. Those protections include many Ukrainian organizations, under our <a href=\"http://blog.cloudflare.com/in-ukraine-and-beyond-what-it-takes-to-keep-vulnerable-groups-online/\">Project Galileo</a> that is having a busy year, and they were automatically put available to all our customers. More recently, the satellite provider Viasat was <a href=\"https://techcrunch.com/2022/05/10/russia-viasat-cyberattack/\">affected</a>.Zaraz use Workers to make third-party tools secure and fast (<a href=\"http://blog.cloudflare.com/zaraz-use-workers-to-make-third-party-tools-secure-and-fast/\">✍️</a>) Cloudflare announced it acquired <a href=\"http://blog.cloudflare.com/cloudflare-acquires-zaraz-to-enable-cloud-loading-of-third-party-tools/\">Zaraz</a> in December 2021 to help us enable cloud loading of third-party tools. Seems unrelated to attacks? Think again (this takes us back to the secure ecosystem I already mentioned). Among other things, <a href=\"http://blog.cloudflare.com/zaraz-use-workers-to-make-third-party-tools-secure-and-fast/\">here</a> you can learn how Zaraz can make your website more secure (and faster) by offloading third-party scripts.That allows to avoid problems and attacks. Which? From code tampering to lose control over the data sent to third-parties. My colleague <a href=\"http://blog.cloudflare.com/author/yoav/\">Yo'av Moshe</a> elaborates on what this solution prevents: “the third-party script can intentionally or unintentionally (due to being hacked) collect information it shouldn't collect, like credit card numbers, Personal Identifiers Information (PIIs), etc.”. You should definitely avoid those.Introducing Cloudforce One: our new threat operations and research team (<a href=\"http://blog.cloudflare.com/introducing-cloudforce-one-threat-operations-and-threat-research/\">✍️</a>) <a href=\"http://blog.cloudflare.com/introducing-cloudforce-one-threat-operations-and-threat-research/\">Meet</a> our new threat operations and research team: Cloudforce One. While this team will publish research, that’s not its reason for being. Its primary objective: track and disrupt threat actors. It’s all about being protected against a great flow of threats with minimal to no involvement.<h2 id=\"wrap-up\">Wrap up</h2>The expression “if it ain't broke, don't fix it” doesn’t seem to apply to the fast pacing Internet industry, where attacks are also in the fast track. If you or your company and services aren’t properly protected, attackers (human or bots) will probably find you sooner than later (maybe they already did).To end on a popular quote used in books, movies and in life: “You keep knocking on the devil's door long enough and sooner or later someone's going to answer you”. Although we have been onboarding many organizations while attacks are happening, that’s not the less hurtful solution — preventing and mitigating effectively and forget the protection is even there.If you want to try some security features mentioned, the <a href=\"https://www.cloudflare.com/securitycenter/\">Cloudflare Security Center</a> is a good place to start (free plans included). The same with our <a href=\"https://www.cloudflare.com/plans/zero-trust-services/\">Zero Trust ecosystem</a> (or <a href=\"https://www.cloudflare.com/cloudflare-one/\">Cloudflare One</a> as our <a href=\"https://www.cloudflare.com/learning/access-management/what-is-sase/\">SASE</a>, Secure Access Service Edge) that is available as self-serve, and also includes a free plan (this vendor-agnostic <a href=\"https://zerotrustroadmap.org/\">roadmap</a> shows the general advantages of the Zero Trust architecture).If trends are more your thing, <a href=\"https://radar.cloudflare.com/\">Cloudflare Radar</a> has a near real-time dedicated area about attacks, and you can browse and interact with our <a href=\"https://radar.cloudflare.com/notebooks/ddos-2022-q2\">DDoS attack trends for 2022 Q2</a> report."],"comment_id":[0,"62f34ecade861a000a8dee39"],"feature_image":[0,"http://blog.cloudflare.com/content/images/2022/08/image4-1.png"],"featured":[0,false],"visibility":[0,"public"],"created_at":[0,"2022-08-10T07:23:06.000+01:00"],"updated_at":[0,"2024-03-14T14:52:35.000+00:00"],"published_at":[0,"2022-08-11T14:00:00.000+01:00"],"custom_excerpt":[0,"In 2022, cybersecurity, more than ever, is a must-have for those who don’t want to take chances on getting caught in a cyberattack with difficult to deal with consequences. Here’s a reading list what you need to know about attacks that is also a guide on how to be protected"],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"custom_template":[0,null],"canonical_url":[0,null],"authors":[1,[[0,{"id":[0,"614d9ee554b26702aab519e9"],"name":[0,"João Tomé"],"slug":[0,"joao-tome"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2022/08/V0x3WKfJ_400x400-1.jpeg"],"cover_image":[0,null],"bio":[0,"After working as a journalist for years covering tech, Internet, cinema, sports (soccer/football), cars and mobility (had a TV show about it), I'm now telling data and other stories at Cloudflare."],"website":[0,null],"location":[0,"Lisbon, Portugal"],"facebook":[0,null],"twitter":[0,"@emot"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/joao-tome/"]}]]],"tags":[1,[[0,{"id":[0,"62f34ee7de861a000a8dee47"],"name":[0,"#BLOG-1289"],"slug":[0,"hash-blog-1289"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"internal"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/404/"]}],[0,{"id":[0,"62bdbea0c9d4a0000af821c1"],"name":[0,"Reading List"],"slug":[0,"reading-list"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/reading-list/"]}],[0,{"id":[0,"5d16450341acde0011a95265"],"name":[0,"Security"],"slug":[0,"security"],"description":[0,null],"feature_image":[0,"http://blog.cloudflare.com/content/images/2020/10/Security.png"],"visibility":[0,"public"],"meta_title":[0,"Cloudflare Blog: Security"],"meta_description":[0,"Collection of Cloudflare blog posts tagged 'Security'."],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/security/"]}],[0,{"id":[0,"5d16450341acde0011a95169"],"name":[0,"Attacks"],"slug":[0,"attacks"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/attacks/"]}],[0,{"id":[0,"5d16450341acde0011a951e3"],"name":[0,"DDoS"],"slug":[0,"ddos"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/ddos/"]}],[0,{"id":[0,"5fb41aff44c1c901bc48ac72"],"name":[0,"Ransom Attacks"],"slug":[0,"ransom-attacks"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/ransom-attacks/"]}],[0,{"id":[0,"5d16450341acde0011a951e0"],"name":[0,"Phishing"],"slug":[0,"phishing"],"description":[0,null],"feature_image":[0,null],"visibility":[0,"public"],"meta_title":[0,null],"meta_description":[0,null],"og_image":[0,null],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,null],"twitter_title":[0,null],"twitter_description":[0,null],"codeinjection_head":[0,null],"codeinjection_foot":[0,null],"canonical_url":[0,null],"accent_color":[0,null],"url":[0,"http://blog.cloudflare.com/tag/phishing/"]}]]],"primary_author":[0,{"id":[0,"614d9ee554b26702aab519e9"],"name":[0,"João Tomé"],"slug":[0,"joao-tome"],"profile_image":[0,"http://blog.cloudflare.com/content/images/2022/08/V0x3WKfJ_400x400-1.jpeg"],"cover_image":[0,null],"bio":[0,"After working as a journalist for years covering tech, Internet, cinema, sports (soccer/football), cars and mobility (had a TV show about it), I'm now telling data and other stories at Cloudflare."],"website":[0,null],"location":[0,"Lisbon, Portugal"],"facebook":[0,null],"twitter":[0,"@emot"],"meta_title":[0,null],"meta_description":[0,null],"url":[0,"http://blog.cloudflare.com/author/joao-tome/"]}],"primary_tag":[0,null],"url":[0,"http://blog.cloudflare.com/2022-attacks-an-august-reading-list-to-go-shields-up/"],"excerpt":[0,"In 2022, cybersecurity, more than ever, is a must-have for those who don’t want to take chances on getting caught in a cyberattack with difficult to deal with consequences. Here’s a reading list what you need to know about attacks that is also a guide on how to be protected"],"reading_time":[0,12],"access":[0,true],"comments":[0,false],"og_image":[0,"http://blog.cloudflare.com/content/images/2022/08/2022-attacks--An-August-reading-list-to-go-Shields-Up-OG-1.png"],"og_title":[0,null],"og_description":[0,null],"twitter_image":[0,"http://blog.cloudflare.com/content/images/2022/08/2022-attacks--An-August-reading-list-to-go-Shields-Up-OG.png"],"twitter_title":[0,null],"twitter_description":[0,null],"meta_title":[0,null],"meta_description":[0,"In 2022, cybersecurity, more than ever, is a must-have for those who don’t want to take chances on getting caught in a cyberattack with difficult to deal with consequences. Here’s a reading list what you need to know about attacks that is also a guide on how to be protected."],"email_subject":[0,null],"frontmatter":[0,null],"feature_image_alt":[0,null],"feature_image_caption":[0,null]}],[0,{"id":[0,"62f27978bc3891000abd9426"],"uuid":[0,"4a95888e-e417-4946-ba6a-4705c1e67e20"],"title":[0,"The mechanics of a sophisticated phishing scam and how we stopped it"],"slug":[0,"2022-07-sms-phishing-attacks"],"html":[0,"This post is also available in <a href=\"http://blog.cloudflare.com/zh-cn/2022-07-sms-phishing-attacks-zh-cn/\">简体中文</a>, <a href=\"http://blog.cloudflare.com/ja-jp/2022-07-sms-phishing-attacks-ja-jp/\">日本語</a>, <a href=\"http://blog.cloudflare.com/es-es/2022-07-sms-phishing-attacks-es-es/\">Español</a>, <a href=\"http://blog.cloudflare.com/ru-ru/2022-07-sms-phishing-attacks-ru-ru/\">Pусский</a> and <a href=\"http://blog.cloudflare.com/pl-pl/2022-07-sms-phishing-attacks-pl-pl/\">Polski</a>.\n<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2022/08/unnamed-1.png\" class=\"kg-image\" alt=\"The mechanics of a sophisticated phishing scam and how we stopped it\" loading=\"lazy\"></figure>Yesterday, August 8, 2022, Twilio shared that they’d been <a href=\"https://www.twilio.com/blog/august-2022-social-engineering-attack\">compromised by a targeted phishing attack</a>. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees. While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of <a href=\"https://www.cloudflare.com/cloudflare-one/\">Cloudflare One products</a>, and physical security keys issued to every employee that are required to access all our applications. We have confirmed that no Cloudflare systems were compromised. Our <a href=\"http://blog.cloudflare.com/introducing-cloudforce-one-threat-operations-and-threat-research/\">Cloudforce One threat intelligence team</a> was able to perform additional analysis to further dissect the mechanism of the attack and gather critical evidence to assist in tracking down the attacker.This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached. Given that the attacker is targeting multiple organizations, we wanted to share here a rundown of exactly what we saw in order to help other companies recognize and mitigate this attack.<h2 id=\"targeted-text-messages\">Targeted Text Messages</h2>On July 20, 2022, the Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began at 2022-07-20 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employees family members. We have not yet been able to determine how the attacker assembled the list of employees phone numbers but have reviewed access logs to our employee directory services and have found no sign of compromise.Cloudflare runs a 24x7 Security Incident Response Team (SIRT). Every Cloudflare employee is trained to report anything that is suspicious to the SIRT. More than 90 percent of the reports to SIRT turn out to not be threats. Employees are encouraged to report anything and never discouraged from over-reporting. In this case, however, the reports to SIRT were a real threat.The text messages received by employees looked like this:<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2022/08/image3-5.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>They came from four phone numbers associated with T-Mobile-issued SIM cards: (754) 268-9387, (205) 946-7573, (754) 364-6683 and (561) 524-5989. They pointed to an official-looking domain: cloudflare-okta.com. That domain had been registered via Porkbun, a domain registrar, at 2022-07-20 22:13:04 UTC — less than 40 minutes before the phishing campaign began.Cloudflare built our <a href=\"https://www.cloudflare.com/products/registrar/custom-domain-protection/\">secure registrar product</a> in part to be able to monitor when domains using the Cloudflare brand were registered and get them shut down. However, because this domain was registered so recently, it had not yet been published as a new .com registration, so our systems did not detect its registration and our team had not yet moved to terminate it.If you clicked on the link it took you to a phishing page. The phishing page was hosted on DigitalOcean and looked like this:<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2022/08/image1-13.png\" class=\"kg-image\" alt loading=\"lazy\"></figure>Cloudflare uses Okta as our identity provider. The phishing page was designed to look identical to a legitimate Okta login page. The phishing page prompted anyone who visited it for their username and password.<h2 id=\"real-time-phishing\">Real-Time Phishing</h2>We were able to analyze the payload of the <a href=\"https://www.cloudflare.com/learning/email-security/what-is-email-security/\">phishing attack</a> based on what our employees received as well as its content being posted to services like VirusTotal by other companies that had been attacked. When the phishing page was completed by a victim, the credentials were immediately relayed to the attacker via the messaging service Telegram. This real-time relay was important because the phishing page would also prompt for a Time-based One Time Password (TOTP) code.Presumably, the attacker would receive the credentials in real-time, enter them in a victim company’s actual login page, and, for many organizations that would generate a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.<figure class=\"kg-card kg-image-card\"><img src=\"http://blog.cloudflare.com/content/images/2022/08/image2-6.png\" class=\"kg-image\" alt loading=\"lazy\"></figure><h2 id=\"protected-even-if-not-perfect\">Protected Even If Not Perfect</h2>We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement <a href=\"https://www.yubico.com/blog/creating-unphishable-security-key/\">origin binding</a>, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.But this phishing page was not simply after credentials and TOTP codes. If someone made it past those steps, the phishing page then initiated the download of a phishing payload which included AnyDesk’s remote access software. That software, if installed, would allow an attacker to control the victim’s machine remotely. We confirmed that none of our team members got to this step. If they had, however, our endpoint security would have stopped the installation of the remote access software.<h2 id=\"how-did-we-respond\">How Did We Respond?</h2>The main response actions we took for this incident were:<h3 id=\"1-block-the-phishing-domain-using-cloudflare-gateway\">1. Block the phishing domain using Cloudflare Gateway</h3>Cloudflare Gateway is a <a href=\"https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/\">Secure Web Gateway</a> solution providing threat and data protection with DNS / HTTP filtering and natively-integrated <a href=\"https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/\">Zero Trust</a>. We use this solution internally to proactively identify malicious domains and block them. Our team added the malicious domain to Cloudflare Gateway to block all employees from accessing it.Gateway’s automatic detection of malicious domains also identified the domain and blocked it, but the fact that it was registered and messages were sent within such a short interval of time meant that the system hadn’t automatically taken action before some employees had clicked on the links. Given this incident we are working to speed up how quickly malicious domains are identified and blocked. We’re also implementing controls on access to newly registered domains which we offer to customers but had not implemented ourselves.<h3 id=\"2-identify-all-impacted-cloudflare-employees-and-reset-compromised-credentials\">2. Identify all impacted Cloudflare employees and reset compromised credentials</h3>We were able to compare recipients of the phishing texts to login activity and identify threat-actor attempts to authenticate to our employee accounts. We identified login attempts blocked due to the hard key (U2F) requirements indicating that the correct password was used, but the second factor could not be verified. For the three of our employees' credentials were leaked, we reset their credentials and any active sessions and initiated scans of their devices.<h3 id=\"3-identify-and-take-down-threat-actor-infrastructure\">3. Identify and take down threat-actor infrastructure</h3>The threat actor's phishing domain was newly registered via Porkbun, and hosted on DigitalOcean. The phishing domain used to target Cloudflare was set up less than an hour before the initial phishing wave. The site had a Nuxt.js frontend, and a Django backend. We worked with DigitalOcean to shut down the attacker’s server. We also worked with Porkbun to seize control of the malicious domain.From the failed sign-in attempts we were able to determine that the threat actor was leveraging Mullvad VPN software and distinctively using the Google Chrome browser on a Windows 10 machine. The VPN IP addresses used by the attacker were 198.54.132.88, and 198.54.135.222. Those IPs are assigned to Tzulo, a US-based dedicated server provider whose website claims they have servers located in Los Angeles and Chicago. It appears, actually, that the first was actually running on a server in the Toronto area and the latter on a server in the Washington, DC area. We blocked these IPs from accessing any of our services.<h3 id=\"4-update-detections-to-identify-any-subsequent-attack-attempts\">4. Update detections to identify any subsequent attack attempts</h3>With what we were able to uncover about this attack, we incorporated additional signals to our already existing detections to specifically identify this threat-actor. At the time of writing we have not observed any additional waves targeting our employees. However, intelligence from the server indicated the attacker was targeting other organizations, including Twilio. We reached out to these other organizations and shared intelligence on the attack.<h3 id=\"5-audit-service-access-logs-for-any-additional-indications-of-attack\">5. Audit service access logs for any additional indications of attack</h3>Following the attack, we screened all our system logs for any additional fingerprints from this particular attacker. Given Cloudflare Access serves as the central control point for all Cloudflare applications, we can search the logs for any indication the attacker may have breached any systems. Given employees’ phones were targeted, we also carefully reviewed the logs of our employee directory providers. We did not find any evidence of compromise.<h2 id=\"lessons-learned-and-additional-steps-we-re-taking\">Lessons Learned and Additional Steps We’re Taking</h2>We learn from every attack. Even though the attacker was not successful, we are making additional adjustments from what we’ve learned. We’re adjusting the settings for Cloudflare Gateway to restrict or sandbox access to sites running on domains that were registered within the last 24 hours. We will also run any non-allow listed sites containing terms such as “cloudflare” “okta” “sso” and “2fa” through our <a href=\"https://www.cloudflare.com/learning/access-management/what-is-browser-isolation/\">browser isolation technology</a>. We are also increasingly using <a href=\"https://www.cloudflare.com/products/zero-trust/email-security/\">Cloudflare Area 1’s phish-identification technology</a> to scan the web and look for any pages that are designed to target Cloudflare. Finally, we’re tightening up our Access implementation to prevent any logins from unknown VPNs, residential proxies, and infrastructure providers. All of these are standard features of the same products we offer to customers.The attack also reinforced the importance of three things we’re doing well. First, requiring hard keys for access to all applications. <a href=\"https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/\">Like Google</a>, we have not seen any successful phishing attacks since rolling hard keys out. Tools like Cloudflare Access made it easy to support hard keys even across legacy applications. If you’re an organization interested in how we rolled out hard keys, reach out to <a href=\"mailto:cloudforceone-irhelp@cloudflare.com\">cloudforceone-irhelp@cloudflare.com</a> and our security team would be happy to share the best practices we learned through this process.Second, using Cloudflare’s own technology to protect our employees and systems. Cloudflare One’s solutions like Access and Gateway were critical to staying ahead of this attack. We configured our Access implementation to require hard keys for every application. It also creates a central logging location for all application authentications. And, if ever necessary, a place from which we can kill the sessions of a potentially compromised employee. Gateway allows us the ability to shut down malicious sites like this one quickly and understand what employees may have fallen for the attack. These are all functionalities that we make available to Cloudflare customers as part of our Cloudflare One suite and this attack demonstrates how effective they can be.Third, having a paranoid but blame-free culture is critical for security. The three employees who fell for the phishing scam were not reprimanded. We’re all human and we make mistakes. It’s critically important that when we do, we report them and don’t cover them up. This incident provided another example of why security is part of every team member at Cloudflare’s job.<h2 id=\"detailed-timeline-of-events\">Detailed Timeline of Events</h2><style type=\"text/css\">\n.tg {border-collapse:collapse;border-spacing:0;}\n.tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-0lax{text-align:left;v