A sophisticated phishing campaign has emerged, exploiting the trust placed in legitimate cloud hosting services.
Threat actors are leveraging Cloudflare Pages and ZenDesk platforms to conduct large-scale credential theft operations targeting unsuspecting users.
The campaign demonstrates a concerning trend where established infrastructure services become vectors for social engineering attacks.
Security researchers have identified over 600 malicious domains registered under the *.pages[.]dev domain structure, representing a significant coordinated effort.
These threat actors employ typosquatting techniques to impersonate customer support portals for well-known brands. By registering domains that closely resemble legitimate services, attackers create a convincing facade that lower users’ defenses before engagement.
Arda Büyükkaya, a cyber threat intelligence analyst at EclecticIQ, identified and documented this ongoing phishing infrastructure after noting the suspicious pattern across multiple domains.
The attack methodology combines social engineering with technical sophistication, revealing how adversaries continue evolving their techniques to circumvent traditional security awareness.
The Infection and Social Engineering Mechanism
The phishing pages themselves are generated using artificial intelligence, creating convincing but ultimately malicious content. Each page includes an embedded live chat interface staffed by human operators who engage directly with victims.
These operators maintain the deception by requesting phone numbers and email addresses under the guise of providing technical support assistance.
Once sufficient personal information is gathered, operators instruct victims to install Rescue, a legitimate remote monitoring tool that becomes dangerous when installed on compromised systems.
This installation grants attackers full remote access to the victim’s device, enabling them to harvest sensitive data and account credentials at will.
The threat actors also abuse Google Site Verification and Microsoft Bing Webmaster tokens for SSO poisoning, further expanding their attack surface.
Their primary objective remains financially motivated account takeover and fraud, positioning this campaign as a serious threat to enterprise and individual users alike.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
