CloudFlare Phishing attempt discovered September 7th, 2017

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

On Thursday, September 7th a group of scammers sent emails phishing for CloudFlare credentials. The email appears to come from “Cloudflare Abuse Department”, but you will see that the email did not actually come from Cloudflare.  It came from a freshdesk email account which is not associated with Cloudflare.

The email also contains a link to lead the recipient to review the complaint and takes them to https://cloudflarecompliancedept.site/support/.

The site looks like the Official Cloudflare login page and even has an SSL certificate that appears to be valid.  Upon investigation, the SSL certificate is a free certificate that can be obtained easily.

You can even find the fake freshdesk login page by visiting https://cloudflareabuse.freshdesk.com/support/home

This phishing attempt was very well thought out, all the way down to the smallest detail.  To the average person opening their emails, it would be very difficult to identify this as  malicious.

What you can do

While the malicious email looked completely legit, there was one key giveaway: The mail was sent from a domain that is not associated with Cloudflare.

If you received an email from support@cloudflareabuse.freshdesk.com, report it as phishing by notifying your email provider. Then delete it.

If you do click on the malicious link, do not attempt to log into the account.

If, unfortunately, you fell for the scam and granted permission to the hackers,  get in touch with CloudFlare directly.  While you’re at it, it’s a good idea to change your passwords.

Here is the official Cloudflare link to visit if you encounter the scam:
https://support.cloudflare.com/hc/en-us/articles/200167736-How-do-I-file-a-phishing-complaint-

Rest assured that the eBoundHost JetRails eCommerce Team is actively working with Cloudflare on this discovery.  As of 12:54 PM CST, it appears that the malicious domain was taken down.  That does not mean the original attacker is not still active.  Please take caution with any emails and access points and reach out to the JetRails team with any questions or concerns:  888-554-9990 or support@eboundhost.com

Tom P September 7, 2017