If you are a CloudFlare customer and just got an email asking you to confirm changes you made to your account, rest assured, it’s fake.
We’ve been getting them here at Consumer Press too. They say we have made changes to our “domain data” and need to confirm or cancel the changes by clicking on a link.
That link, and others throughout the email, appear at first glance to link to CloudFlare.com. If moused-over though, you can easily see that it leads to a different site.
CloudFlare is aware of the problem.
Marc Rogers, Principal Security Researcher at CloudFlare, wrote a blog post about it yesterday. In it, he said “We will never send you an email like this. If you see one, its fake and should be reported to our abuse team by forwarding it to [email protected]”
The example email in their blog post is a bit different from the email we’ve been getting. In it, it says a user tried to log in with an incorrect password and that the CloudFlare account has to be ‘reactivated’ by clicking on the (fake) link.
Rogers explained how the spammer collected the sites and email addresses of CloudFlare users, saying “What it looks like is this attacker harvested a large number of target domains using public DNS and email records identifying likely administrative email addresses. This became his victim list.”
The goal of the spammer, according to Rogers, is simply “to collect your credentials.” He also says this particular attack is “remarkably unsophisticated.”
Have you been getting these emails?
Be sure to pass this info along to other webmasters you know using the share buttons below!