The scale and sophistication of these operations represent a significant departure from traditional phishing attempts.
Rather than simple misspelled domain names and poorly written messages, modern phishing campaigns now operate with the efficiency and organization of legitimate technology companies.
The threat landscape has fundamentally transformed from ad-hoc individual attacks into coordinated criminal enterprises.
These operations leverage professional infrastructure management, robust uptime commitments, and engineered evasion techniques that rival enterprise-grade security systems.
SicuraNext security analysts identified that the infrastructure supporting these campaigns demonstrates remarkable operational maturity, with a 96.16% mean DNS resolution rate, indicating highly stable and well-maintained malicious domains.
SicuraNext security researchers noted that Cloudflare serves as the primary infrastructure provider for phishing operations worldwide.
The analysis reveals that 17,202 of the 25,305 tracked malicious domains, representing 68% of all phishing infrastructure, operate through Cloudflare’s network.
This concentration exists because Cloudflare’s free tier offers threat actors zero upfront cost, world-class DDoS protection, and proxy services that effectively mask the actual hosting servers.
The thousands of malicious domains clustered on AS13335, Cloudflare’s primary autonomous system number, have made the platform the de facto home base for phishing operations globally.
The most dangerous development involves Phishing-as-a-Service platforms, such as EvilProxy and Tycoon 2FA.
Unlike traditional phishing kits that simply steal passwords, these services operate as adversary-in-the-middle proxies, positioning themselves between victims and legitimate services.
When users authenticate, the kit intercepts their session while forwarding credentials to the real service, then captures the resulting session cookie.
This approach completely bypasses multi-factor authentication protections. These sophisticated platforms incorporate multiple evasion technologies.
Geofencing blocks security researchers by IP range, while user-agent-based cloaking restricts content visibility to specific device types, often displaying malicious pages only on mobile browsers.
Developer tools detection immediately stops pages from functioning when security researchers open inspection tools. Cloudflare CAPTCHA filters automatically filter out automated security scanners.
The analysis identified 20 distinct phishing clusters sharing identical infrastructure fingerprints, rotated IP ranges, identical registrars, and matching evasion patterns, demonstrating coordinated, professionally-managed operations rather than opportunistic attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Report Warns of 68% Of Actively Serving Phishing Kits Protected by CloudFlare appeared first on Cyber Security News.
SWEETWATER, Texas (KTAB/KRBC) - The small West Texas town of Sweetwater is preparing for the…
ABILENE, Texas (KTAB/KRBC) - A driver was injured in a rollover accident in south Abilene…
ABILENE, Texas (KTAB/KRBC) - A coordinated law enforcement operation in Abilene led to multiple arrests…
Today: The Appraisal of GlobalTrendingMarket.com / Buying LL.ai – Budget: Over $5,000 / GuardKnox.com sold…
The latest Metasploit update, released on February 27, 2026, brings significant firepower to security professionals…
We need to give models knowledge that anchors their behavior to the realities of our…
This website uses cookies.