Error 524 Decoy Campaign Uses Brand Impersonation to Phish Mobile Users
A large-scale smishing and phishing campaign argeting mobile users worldwide by impersonating more than 260 brands across 72 countries, leveraging a sophisticated evasion technique built around fake Cloudflare “Error 524” pages.
Active since the second half of 2025, the operation primarily focuses on Latin America but has expanded into Europe, APAC, and North America, highlighting the growing industrialization of phishing-as-a-service (PhaaS) ecosystems.
Telecommunications providers account for the largest share of impersonated entities, followed by financial institutions and consumer reward programs.
Researchers attribute this regional focus to weak SMS anti-spoofing enforcement, high mobile-first usage, and widespread adoption of loyalty-based services that provide convincing social engineering pretexts.
A defining characteristic of this campaign is its layered anti-analysis architecture. When accessed under non-target conditions, such as from desktop environments or non-target geographies, the phishing domains display realistic Cloudflare error pages, including the widely recognized “Error 524” timeout message.
This decoy effectively conceals malicious content from automated scanners, security researchers, and hosting providers, allowing the infrastructure to evade detection and takedown efforts.
The filtering mechanism relies on client-side geolocation checks and device fingerprinting. Only users accessing the link from targeted countries and mobile devices are served the actual phishing interface.
According to Group-IB’s Digital Risk Protection team, the campaign has generated at least 4,389 phishing domains, with Mexico, Chile, and Colombia representing the most heavily targeted regions.
Breakdown of the smishing campaign’s most targeted industries in LATAM (Source : GroupIB).
This conditional rendering is implemented within a Base64-encoded single-page application (SPA), which dynamically decodes and executes malicious logic at runtime, further complicating static analysis.
Error 524 Decoy Campaign
The attack chain begins with SMS messages containing urgent lures such as expiring rewards or pending deliveries, often sent from spoofed local numbers.
The websites utilizes a Cloudflare error page, displaying various error codes, as a deceptive landing page (Source : GroupIB).
Beyond LATAM, the campaign’s European instances (673 confirmed domains, primarily Netherlands and Germany) targeted financial services and logistics operators, while APAC instances (238 domains, led by Australia) focused on telecommunications and government impersonation.
Embedded shortened URLs redirect victims to phishing domains that initially load minimal HTML structures. Once validated, users are presented with brand-specific interfaces tailored to their region, enhancing credibility.
Victims are guided through a staged data harvesting process that starts with basic identification inputs and escalates to full personal information, including name, address, email, and phone number.
The final stage requests complete payment card details. Validation mechanisms are intentionally minimal, relying only on checksum verification to maximize data collection efficiency without introducing delays from real-time banking checks.
A notable technical component is the use of encrypted WebSocket (WSS) channels for real-time data exfiltration. Once the phishing page loads, a persistent WebSocket connection is established, allowing bidirectional communication between the victim’s browser and attacker-controlled servers.
Harvested data is transmitted as binary-encoded payloads, while periodic heartbeat signals maintain session integrity and provide behavioral telemetry such as dwell time.
Test cards passing the checksum are accepted and immediately trigger the post submission redirect. This approach maximizes throughput by avoiding real-time authorization checks that would require bank connectivity and introduce latency.
Solicitation of full credit card credentials, including card number,expiry date and CVV (Source : GroupIB).
Infrastructure analysis reveals that Cloudflare is widely used as a reverse proxy to mask origin servers, which are frequently hosted on Tencent Cloud and Alibaba infrastructure.
This setup complicates attribution and takedown efforts, as mitigation actions at the CDN layer do not necessarily disrupt backend operations. Additionally, the campaign employs rapid domain cycling using low-cost top-level domains such as .top, .ink, and .click, with naming conventions designed to mimic legitimate brand reward portals.
The combination of mobile-focused delivery, advanced evasion techniques, and real-time exfiltration demonstrates a high level of operational maturity.
Group-IB notes that this campaign reflects an evolution in phishing tradecraft, where attackers integrate performance monitoring tools, encrypted communications, and cloud-native infrastructure to scale globally while maintaining low detection rates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.