Cloudflare was the target of a sophisticated phishing attack. Here's why it didn't work

Cloudflare has detailed how a phishing attacked duped employees - and says the attackers are targeting other companies too.
Written by Danny Palmer, Senior Writer
Image: Getty/gilaxia

Cloudflare has detailed what it describes as a "targeted phishing attack" against its staff that was prevented from doing damage because all employees are required to use multi-factor authentication (MFA) in the form of physical security keys in order to access applications. 

That meant that even with the correct usernames and passwords, the attackers couldn't access accounts and no systems were compromised. 

According to cybersecurity researchers at Cloudflare who analysed the attack, it was a sophisticated attack targeting employees and systems "in such a way that we believe most organizations would be likely to be breached". 

Cloudflare has detailed what happened because they believe the culprit is still out there targeting multiple organisations.

The incident started on July 20 when at least 76 Cloudflare employees received phishing texts to either their work or personal phones which looked like messages pointing to what appeared to be Cloudflare's Okta login page. Weirdly, some of the phishing messages were also sent to family members of some of the employees.  

SEE: A winning strategy for cybersecurity (ZDNet special report) 

It's unknown how the attacker got hold of the phone numbers, but the messages – all of which were sent out in under the space of a minute - claimed that 'your Cloudflare schedule has been updated' and directed the targets to click on an official looking Okta domain for Cloudflare which asked anyone visiting it to enter their username and password. If someone who clicked on the link did this, it passed their username and password to the attackers. 

According to Cloudflare, three employees who received the phishing message fell for it and entered their credentials. However, the attackers couldn't do anything with the stolen login details because of Cloudflare's requirement for employees to use a hardware key when they sign in. 

There was also an additional element of phishing messages designed to download remote access software onto the victim's machine, which would allow the attacker to control it remotely. However, Cloudflare says none of the victims at the company reached this stage and their endpoint security systems would've prevented unauthorised software from being installed. 

After detecting the attack after it was reported by employees receiving the suspicious messages, Cloudflare blocked the phishing domain to prevent employees from being able to access it. 

The company also identified the employees who had received the phishing text messages and followed the link to enter their credentials. These employees had their passwords reset and were logged out of any active sessions in order to prevent any unauthorised access. 

Cloudflare also moved quickly to take down the domain used in the phishing attacks – set up under an hour before the campaign started. The company has also used the incident to incorporate additional detection mechanisms into their defences to help identify any future campaigns by the same attackers – this information has also been shared with other organisations which have been targeted. 

SEE: These ransomware hackers gave up when they hit multi-factor authentication

While the phishing attack was successfully stopped from doing damage, Cloudflare says there are still lessons which can be learned from the incident, including how "having a paranoid but blame-free culture is critical for security". 

"We're all human and we make mistakes. It's critically important that when we do, we report them and don't cover them up. This incident provided another example of why security is part of every team member at Cloudflare's job," the company said. 

Cloudflare also says that the incident demonstrates how effective using physical keys is for securing people and networks, because despite the attackers successfully gaining access to legitimate login credentials, the lack of a key meant they couldn't exploit it. "We have not seen any successful phishing attacks since rolling hard keys out," said Cloudflare. 

Researchers suggest that those behind this campaign could still be out there, attempting to target others – and Cloudflare hopes that by sharing what happened, it helps other victims stay safe from attacks. 


Editorial standards