CloudFlare Phishing Email Campaign “Confirmation data changes”

Today, I received on one of my email address a CloudFlare phishing email “CLOUDFLARE.COM. domain.com: Confirmation data changes“.

As you can see this in the above screenshot, the phishing email claim that you’re CloudFlare account has exceeded the limit load available and that the account will be blocked if you don’t adapt the rate plan of the account.

The malicious link “https://cloudflare.com/login/?user=9647dec8-7e4c-40d6-bf15-43e3bd9233d3” was redirecting to “http://cloudflare.com.login.9437dec8-7e4c-40d6-bf15-43e3bd9226d3.alert-cloudflare.com.swteh.ru/login.php?domain=zataz.com” hosted on 77.222.41.100 (Russian SpaceWeb.ru Hosting Provider – AS44112).

I found another malicious link, on a Russian forum:

http://cloudflare.com.login.1647dec1-1e4c-50d6-bf15-43e4bd9133d9.alert-cloudflare.com.swteh.ru/login.php?domain=xxxxx.com” located on the same server.

In the email headers we can see that the phishing has been sent by “grafias.lunarpages.com” hosted on 216.97.235.15 in US.

CloudFlare users have alert CloudFlare team through a post in the support forum and then an alert has been raised to all CloudFlare customers.