CloudFlare Phishing Email Campaign “Confirmation data changes”
Today, I received on one of my email address a CloudFlare phishing email “CLOUDFLARE.COM. domain.com: Confirmation data changes“.
As you can see this in the above screenshot, the phishing email claim that you’re CloudFlare account has exceeded the limit load available and that the account will be blocked if you don’t adapt the rate plan of the account.
The malicious link “https://cloudflare.com/login/?user=9647dec8-7e4c-40d6-bf15-43e3bd9233d3” was redirecting to “http://cloudflare.com.login.9437dec8-7e4c-40d6-bf15-43e3bd9226d3.alert-cloudflare.com.swteh.ru/login.php?domain=zataz.com” hosted on 18.104.22.168 (Russian SpaceWeb.ru Hosting Provider – AS44112).
I found another malicious link, on a Russian forum:
“http://cloudflare.com.login.1647dec1-1e4c-50d6-bf15-43e4bd9133d9.alert-cloudflare.com.swteh.ru/login.php?domain=xxxxx.com” located on the same server.
In the email headers we can see that the phishing has been sent by “grafias.lunarpages.com” hosted on 22.214.171.124 in US.