Back

Global Smishing Campaign Exploits Cloudflare Error Pages for Phishing

Severity: High (Score: 66.5)

Sources: Gbhackers, Group-Ib

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: error, smishing, decoy, campaign, mobile, users, operation

Severity indicators: rat

Summary

Group-IB researchers have uncovered a large-scale smishing and phishing operation that has been active since the second half of 2025. This campaign impersonates over 260 brands across 72 countries, primarily targeting mobile users in Latin America. The attackers utilize fake Cloudflare 'Error 524' pages to deceive victims into providing sensitive information. The operation has generated thousands of phishing domains, with a significant concentration in Mexico, Chile, and Colombia. The campaign employs advanced evasion techniques, including geofencing and encrypted WebSocket channels for real-time data theft. Group-IB has identified 4,389 domain instances linked to this operation, with additional targets in Europe, APAC, and North America. The campaign's sophisticated infrastructure poses a significant threat to financial services and telecommunications sectors. Ongoing monitoring and threat intelligence efforts are crucial to mitigate the risks associated with this operation. Key Points: • The smishing campaign targets over 260 brands across 72 countries, focusing on Latin America. • Attackers use fake Cloudflare 'Error 524' pages to trick victims into revealing personal data. • Group-IB identified 4,389 phishing domains linked to this operation, with a significant presence in Mexico, Chile, and Colombia.

Detailed Analysis

**Impact** The campaign targets mobile users across 72 countries, primarily affecting Latin America with 4,389 phishing domains, of which Mexico, Chile, and Colombia account for 60% (2,638 domains). Over 267 brands across telecommunications, financial services, logistics, and consumer loyalty sectors are impersonated. Thousands of phishing domains harvest full credit card credentials and personal identifiers, posing significant financial and privacy risks to affected individuals and organizations. **Technical Details** The attack uses smishing and phishing via SMS to lure victims to fake Cloudflare error pages (notably “Error 524”) that serve as decoys. The infrastructure employs geofencing and mobile device checks to selectively deliver malicious content, using Base64-obfuscated Single Page Applications and encrypted WebSocket channels for real-time data exfiltration. The campaign’s layered anti-analysis evasion returns legitimate-looking error pages to non-targeted or non-mobile requests, complicating detection and takedown efforts. No specific malware or CVEs were reported. **Recommended Response** Defenders should monitor for SMS-based phishing attempts targeting mobile users, especially in Latin America, and block domains mimicking Cloudflare error pages with suspicious URL patterns. Deploy detection rules for Base64-obfuscated web content and encrypted WebSocket traffic associated with credential theft. Strengthen SMS anti-spoofing controls and educate users on verifying legitimate brand communications. No patches or CVEs are indicated; focus on network and endpoint detection and response.

Source articles (2)

  • Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages — Group-Ib · 2026-06-03
    Group-IB researchers expose a large-scale smishing and phishing operation impersonating 260+ brands across 72 countries, using fake Cloudflare error pages, geofencing, and encrypted WebSocket channels…
  • Error 524 Decoy Campaign Uses Brand Impersonation to Phish Mobile Users — Gbhackers · 2026-06-03
    A large-scale smishing and phishing campaign argeting mobile users worldwide by impersonating more than 260 brands across 72 countries, leveraging a sophisticated evasion technique built around fake C…

Timeline

  • 2025-07-01 — Smishing campaign identified: Group-IB researchers discovered the smishing operation during routine monitoring, noting its sophisticated techniques.
  • 2025-12-01 — Campaign expands globally: The operation expanded its reach beyond Latin America to include Europe, APAC, and North America.
  • 2026-06-03 — Public disclosure of campaign details: Group-IB published findings detailing the campaign's methods and impact on global brands.

Related entities

  • Phishing (Attack Type)
  • Error 524 Decoy Campaign (Campaign)
  • Australia (Country)
  • Chile (Country)
  • Colombia (Country)
  • Germany (Country)
  • Mexico (Country)
  • Netherlands (Country)
  • Financial (Industry)
  • Telecommunications (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Alibaba US (Platform)
  • Tencent Cloud (Platform)
  • Cloudflare (Company)
  • Caddy (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed