A new phishing campaign is targeting customer support channels by abusing Cloudflare Pages and Zendesk, showing that even well-protected platforms can be manipulated.
Arda Büyükkaya, Cyber Threat Intelligence Analyst at EclecticIQ, has warned that threat actors have registered more than 600 *.pages[.]dev domains, using typosquatting to mimic legitimate customer support portals for popular brands.
Typosquatting is a technique in which attackers deliberately register domain names that are slight misspellings or variations of legitimate company web addresses, to trick users into thinking they are visiting the correct site. For example, a domain like zendeskcupport.pages[.]dev could be used to impersonate Zendesk’s official support portal while relying on users to overlook the subtle typo.
The phishing pages are “very likely AI generated and include an embedded live chat interface, staffed by an human operator who asks victims [their] phone number and email address under the pretext of providing technical assistance,” Büyükkaya explained in the post on X (formerly Twitter).
“The attacker then instructs victims to install a legitimate remote monitoring tool (Rescue), which grants them full remote access to the device.”
The goal appears to be stealing sensitive information and taking over accounts for financial gain.
Büyükkaya tagged Cloudflare to resolve the vulnerability.
Zendesk, which manages billions of customer interactions worldwide, has long worked with Cloudflare to protect its infrastructure.
Cloudflare has helped Zendesk handle large-scale security events in the past, including the global HTTP/2 Rapid Reset zero-day vulnerability, which affected AWS and Google Cloud servers. During that incident, Cloudflare reportedly blocked more than 201 million malicious requests per second, keeping Zendesk services unaffected.
But the current phishing campaign highlights a different challenge. While Cloudflare protects infrastructure and filters out automated threats, it cannot prevent attackers from creating convincing fake domains that exploit human trust.
The Human Element in Phishing
Attackers are leaning on the human side of customer experience. Phishing attacks succeed by exploiting human psychology, manipulating users by leveraging trust, familiarity and a sense of urgency to trick them into clicking links, entering credentials, or installing software. The Australian Signals Directorate government intelligence agency states:
“Malicious actors often go to great lengths to make their communication seem legitimate and trustworthy, increasing the chances that targeted personnel will follow their instructions.”
AI-generated content combined with human-operated chat makes these phishing attempts harder to spot and more effective.
The exploit is not the first time a weakness in Zendesk’s SaaS infrastructure has been identified. Back in January, CloudSek found that phishing campaigns and “pig butchering” scams were increasingly using the company’s offer of a free trial for subdomains to deceive users by imitating legitimate brands.
CloudSek alerted several clients to suspicious subdomains that used a combination of keywords related to their brand name and a string of numbers to appear legitimate.
Phishing attacks targeting Cloudflare’s pages.dev and workers.dev platforms have also increased, a report by Fortra indicates.
Cloudflare offers fast, reliable, globally distributed infrastructure that attracts developers and attackers alike. Pages.dev hosts web applications, while workers.dev allows code to run at the edge of Cloudflare’s CDN.
Both platforms benefit from Cloudflare’s trusted reputation, automatic SSL/TLS encryption, and free, easy-to-use hosting, which make phishing sites appear legitimate and professional. Attackers can also use custom domains, URL masking, and human verification pages to further create the appearance of credibility, making it more difficult for users to detect fraudulent activity.
Fortra emphasized that the surge in abuse reflects cybercriminals’ creativity rather than a flaw in Cloudflare’s technology.
Even when platforms are well-defended, phishing campaigns can exploit the channels meant to build trust with customers.
To guard against risk, users are advised to verify URLs carefully, enable multi-factor authentication and report suspicious activity to Cloudflare. Developers using Pages or Workers should monitor for unusual activity and ensure HTTPS connections are enforced.
This underscores the importance of ongoing user education. Employees and customers need to recognize the warning signs and understand safe practices for handling requests for sensitive information.
