Threat actors are using a fake CloudFlare DDoS (distributed denial-of-service) check page as a Nuclear exploit kit (EK) gate to load a malicious redirection that ultimately triggers the EK, Malwarebytes Security Researcher Jerome Segura said in a blog post.
“Upon further check, the server's IP address is clearly visible and does not belong to CloudFlare at all,” he wrote.
Because CloudFlare is a cloud security firm that offers DDoS and other website protection services, attackers may hope victims will more likely fall for the ruse.
But NSFOCUS IB's Principal Sales Engineer and Technical Expert Stephen Gates told SCMagazine.com in a Thursday email correspondence that the phony page could backfire for the threat actors.
“In this case, the tactic seen here is being used to give users some sort of comfort level; however, the general public, in most cases, knows nothing about CloudFlare,” Gates said. “This tactic may actually reduce the attacker's success ratio. Many users may close their browsers before being redirected to the actual malicious website,” he said.
Gates recommended that users protect themselves by keeping their systems updated and patched at all times.