Hello everyone,
I wanted to share some concerns I have about the increasing amount of phishing and scam activity on Cloudflare’s pages.dev and workers.dev domains. As the owner of scanner.ducks.party, I have been monitoring these domains and have noticed a significant increase in malicious activity. In fact, about a quarter of the pages on the pages.dev domain can be identified with high confidence as malicious.
Unfortunately, Cloudflare does not have a public API for reporting these issues, making it difficult for me to address this problem on my own. That’s why I’m reaching out to this community for possible ideas and solutions.
My proposal is to publish a portion of the scanner.ducks.party archives that contain data about Cloudflare domains and create an hourly updated archive of scanner data containing information about Cloudflare domains. The more information we have, the better equipped we will be to fight this malicious activity.
I believe that by working together, we can make the Internet a safer place for everyone. If you have any other ideas or suggestions, please don’t hesitate to share them.
1 Like
Yes, if we’re talking about a few pages so far. In my case, I already have a list of at least a thousand sites on the pages.dev domain. I have already tried to automate the sending of the reports, but due to the rate limits it is not possible without using a large number of IP addresses
Great catch, @nyuuzyou
I have also identified a large number of Cloudflare pages.dev and workers.dev sites targeting small lending partners in the United States, including some DHL courier phishing attempts.
I’ve identified a few of them as generic phishes with well-crafted phishing kits. They’re also using different gateways of WEB 3 hosting. From the perspective of takedown requests to Cloudflare, if you report URLs from a fresh email and your IP address is new to them, they typically respond quickly. I’ve noticed sometimes in just 30 minutes. However, if you start reporting to them very frequently, they may begin to treat your requests as backlogged or unresponsive. The same thing happened to me.
So, I recommend that if you want a swift takedown from Cloudflare, do not use a single email address for excessive reporting. Try using different emails, and also consider changing your location by using a VPN at the time of reporting.
In that case, we should consider automating the report submission by wrapping the Cloudflare form into our own API. In the worst case we could use a headless browser. I don’t think that’s the right solution, but I see it as the only one for now.