I recently investigated a campaign abusing Cloudflare Pages (pages[.]dev) to host benign looking SEO blog content that displays a delayed "Continue Read" modal.

The click gated interaction redirects users into a shared backend redirector, which conditionally routes traffic to phishing pages, adware/PUP installers, fake browser download lures, and QR based social engineering flows.

I analyzed a set of phishing pages impersonating PNB MetLife Insurance that steal user details and redirect victims into fraudulent UPI payments.

The pages are mobile first and appear designed for SMS delivery. Victims are asked for basic policy details, which are exfiltrated via Telegram bots, and then pushed into UPI payment flows using dynamically generated QR codes and deep links to PhonePe/Paytm. A second variant escalates to full bank and debit-card detail harvesting.

Analyzed a browser-only tech support scam that relies entirely on client side deception and no malware dropped.

The page abuses full screen and input lock APIs, simulates a fake CMD scan and BSOD, and pushes phone based social engineering.