SMISHING & CLOAKING

The fake Cloudflare error page that hides a phishing trap behind it

A new smishing operation impersonating 260+ brands across 72 countries shows scanners a harmless "Error 524" timeout page and shows real victims the phishing form. Here is how the trick works, and how to read it.

SB

SafeBrowz Threat Research Organization Security ResearchJune 17, 202611 min read

What just got exposed

On June 3, 2026, the threat-intelligence firm Group-IB published a report called "Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages." It describes a single, well-run smishing operation that has been active since the second half of 2025, impersonating more than 260 brands across 72 countries, with 4,389 phishing domain instances mapped so far. Help Net Security covered the findings the next day.

The operation is heavily concentrated in Latin America. Mexico alone accounts for roughly 1,851 of the mapped domains, with Chile (529) and Colombia (258) close behind. By industry, telecom is the most-spoofed sector at 1,754 domains, followed by financial services and consumer reward or loyalty programs. The lure arrives by SMS, abusing weak anti-spoofing on the messaging channel, and lands the victim on a polished single-page web app that asks for card and personal data, then exfiltrates it in real time over an encrypted WebSocket connection back to the operator.

None of that is the part worth your attention, though. The part worth your attention is the disguise. This crew solved a problem every phishing operator has, and they solved it with a fake error message that almost nobody questions.

The problem every phishing site has, and how this one cheats

A phishing page has a short, dangerous life. The moment its link goes out by text, it starts getting visited by things that are not victims: Google's crawlers, email and SMS security scanners, hosting-provider abuse bots, anti-phishing feeds, and security researchers poking at the URL. If any of them see the card form, the domain gets reported, blocklisted, and taken down within hours. The operator loses the page before it earns anything.

So the smart move is to show two different pages to two different audiences. Show the real victims the phishing form. Show everyone else something that looks broken and boring, so they move on and never report it. That technique has a name: cloaking. This operation's specific choice of "boring" is what makes it clever. Instead of a blank page or a generic 404, it serves a pixel-faithful copy of a Cloudflare gateway-timeout screen, the kind that displays codes like Error 524. To a scanner, a researcher, or a hosting provider, the site simply looks like a server that is having a bad day. Nobody files an abuse report over a timeout.

How the page decides what to show you

The decision is made the instant the link is opened, before any real content loads. The page runs a quick set of checks on whoever just arrived and picks which face to wear.

• Your country, from your IP address. The page queries a geolocation service to see where your connection is. If you are not in a target country (Mexico, Chile, Colombia, and the rest of the campaign's map), it shows the Error 524 decoy. This is geofencing: your IP decides what you are allowed to see. A researcher in another country, or a scanner running in a data center somewhere neutral, gets the timeout page and nothing else.
• Whether you are on a phone. The smishing lure is built for mobile, so the page checks your device. A desktop browser or a headless scanner that does not look like a real mobile handset is treated as not-a-victim and served the decoy.
• Whether you arrived the expected way. If the right session parameters from the SMS link are missing, the page assumes you are not the intended target and falls back to the error screen.

Pass all the checks and the site quietly swaps the fake error for the live phishing app, a Base64-obfuscated single-page application carrying a fake brand login or a "claim your reward" card form. Fail any of them and you are looking at a Cloudflare error that does not exist. Two domains, one URL, depending entirely on who is asking.

Why this defeats the scanners you rely on

Most of the protection sitting between a scam text and your wallet inspects the message or the link from the outside. A carrier filter reads the SMS. An email gateway, if the lure came that way, detonates the URL in a sandbox. A reputation feed fetches the page and scores its content. Every one of those works by sending a request to the link and judging what comes back.

The Error 524 decoy is engineered to beat exactly that request. The sandbox is not in the target country, so it gets the timeout page. The reputation crawler is not a real phone, so it gets the timeout page. The hosting provider's abuse bot gets the timeout page and closes the ticket. Each scanner honestly reports what it saw, and what it saw was a broken server. The phishing form was never shown to any of them. It was reserved for the one visitor who matters: a real person, on a real phone, in the right place, who tapped the link from the text.

That is the uncomfortable truth this campaign makes plain. A tool that judges a link by fetching its content can be blinded by a page that simply refuses to show its content to tools. Cloaking is genuinely hard for any scanner, ours included, because the page hides the very thing a content scanner needs to see.

What the lures and the links look like

The text itself is short and ordinary. It wears the costume of a brand you actually use: your mobile carrier, your bank, a loyalty or rewards program. Something like a failed-delivery notice, a "your account is suspended," a points-expiring alert, or a small refund waiting to be claimed. There is a link. On a phone screen the link looks plausible because the brand name is stuffed somewhere into it.

The destinations in this campaign favor cheap or free hosting, where a new subdomain costs nothing and takes seconds to spin up. The examples below are illustrative of the shape these links take. Tap one to run it through the live checker further down the page and see how a free-hosting brand lookalike scores:

• correos-entrega-mx.vercel.app
• telcel-recompensa-mx.pages.dev

The tell is the same one that catches most brand-impersonation phishing: the brand name appears in the address, but not as the real registered domain. A free-hosting subdomain like brand-something.vercel.app or brand-claim.pages.dev is not the brand. Anyone can create one in under a minute, and that is exactly why phishing crews love them. The real registered domain is the part immediately before the first single slash, and for these platforms that part is the host, not the brand.

Red flags that give it away every time

You do not need to know how cloaking works to catch this. The tells are simple and structural.

• A "Cloudflare error" that then becomes a login or payment form. This is the headline tell. A real Cloudflare timeout is a dead end, not a doorway. If a page shows you a timeout and then a brand login or card form appears, the error was a costume.
• The link came in a text you did not expect. Carriers, banks, and rewards programs do not push account-critical actions through an unsolicited SMS link. The arrival channel itself is the first warning.
• The address is a free-hosting subdomain. A brand name on vercel.app, pages.dev, netlify.app, web.app, or similar is not that brand. The platform root is real; an arbitrary subdomain on it is whatever a stranger put there.
• It only works on your phone. If you try the same link on a laptop and get a timeout or error, that is not a coincidence. The page is hiding from the device it does not want.
• It asks for a full card number, PIN, or one-time code. A legitimate carrier or bank page reached through their own app or typed address does not collect a full card plus your login plus an SMS code on one screen.
• Urgency and a small hook. A tiny refund, an expiring points balance, a parcel held for a small fee. The amount is kept low so the math feels harmless and you act before you think.
• The page blocks normal browser behavior. Right-click disabled, no readable text before the form, the address bar pushed out of view on mobile. Real sites do not hide from you.

What SafeBrowz sees on the network

Here is the honest version, because the alternative is marketing. When a page actively cloaks itself, no scanner gets a clean look at the phishing form, and that includes ours. If the live site shows our fetch the same Error 524 decoy it shows every other tool, content analysis has nothing real to analyze. We are not going to pretend a content scanner magically sees through a page built to hide its content. That would be the exact false promise this campaign is designed to exploit.

What changes the math is leaning on signals that do not require the page to cooperate. SafeBrowz weighs several content-free signals that flag a destination regardless of what it chooses to show:

• A brand name on a non-official domain. Our brand database catches a tracked brand keyword appearing on a host that is not that brand's real domain. The decoy page can hide its card form, but it cannot hide the address it lives at. A carrier or bank name sitting on a free-hosting subdomain is a flag on its own, before a single byte of page content is read.
• Free-hosting and lookalike hosts. A brand-style subdomain on vercel.app, pages.dev, netlify.app, or web.app is treated as unverified by default, because anyone can create one. The host itself is the signal, independent of the page.
• Blocklist and reputation cross-reference. Once any one instance in a 4,000-domain campaign is reported, shared threat feeds light up siblings that share the kit's fingerprints, even ones still serving the decoy.

Notice the pattern: every one of those reads the address and the infrastructure, not the rendered page. That is the only honest way to flag a site that refuses to show its real face. Cloaking beats the scanners that ask "what is on this page." It does much less against a check that asks "is a brand wearing a domain that is not its own."

Which brands and regions get hit next

Cloaking is a kit, not a one-off, and kits get rented and reused. The Error 524 decoy is now a documented technique, which means it will be bolted onto campaigns that have nothing to do with the original crew. Based on the targeting logic already visible, these are the believable next moves.

• Telecom carriers in new regions. Telecom is already the most-spoofed sector here. Expect the same carrier-rewards and account-suspension lures to walk north from Latin America into US, Canadian, and European carrier brands, decoy and all.
• Banks and wallets with regional ccTLDs. Financial services are second on the list. A cloaked page wearing a regional bank login, served only inside that bank's home country, is a natural next build.
• Loyalty and rewards programs. Airline miles, supermarket points, and retailer reward apps are low-suspicion, high-reach lures with a built-in "claim before it expires" hook.
• Delivery and postal brands. The failed-delivery lure is universal, and the small-fee hook pairs perfectly with the decoy. See our coverage of the USPS fake delivery text and the global toll and traffic-fine text wave.
• Government and tax imposters. Imposter-scam reports are climbing, with government-impersonation losses among the fastest-rising categories in the FTC's May 2026 trends alert. A cloaked tax-refund page is an obvious fit.

The brand on the front of the message keeps changing. The cloaking trick behind it does not. That is exactly why a defense aimed at the structure beats one aimed at the brand.

Why browser-side and content-free checks beat email filtering here

Email and SMS filters do real work, but this campaign is built to walk straight past them. They judge the link by reaching out and fetching it, and the decoy is designed so that anything reaching out from a sandbox, a data center, or the wrong country gets the harmless timeout page. The filter sees a broken server, scores it clean, and moves on. The phishing form was never on the menu for it.

A browser-layer scanner is closer to the action, because it sits on the same device, in the same place, as the real victim, which is the one context where the page drops its disguise. But the most durable advantage is not even seeing the unmasked page. It is reading the things the page cannot hide: a tracked brand name living on a free-hosting host, a domain that matches a known campaign fingerprint, an address that has no business carrying that brand. Those signals are present the instant the link exists, whether the page shows its real face or its fake error. An email filter that depends on detonating content is exactly the tool the Error 524 decoy was built to defeat. A check that reads the address rather than the rendered page is the one that still has something to say.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. This is the layer that matters most against cloaking: it flags a tracked brand keyword on a non-official or free-hosting host without needing the page to cooperate, so the Error 524 decoy has nothing to hide behind.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, plus domain-age lookup and 30+ scam TLDs. Once any one instance in a large campaign is reported, the reputation cross-reference catches siblings still serving the decoy.
• Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages, for the cases where the page does render in the same context as the user, catching a brand-new lookalike no blocklist has seen yet.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any link from a suspicious text and get a verdict in seconds.

What to do right now

If a link from a text just showed you an error and then a form, or you are not sure, here is the whole correct response.

1. Do not enter a card number, login, or one-time code from a texted link. Ever. The link is the entire attack surface. A real account problem can always be handled by going to the brand directly.
2. Type the brand's address yourself. Open a new tab and type the carrier, bank, or program domain you already know, or open their official app. Do not navigate from the text, and do not search and tap the first ad. If you owe anything or an account is genuinely flagged, it will be there.
3. Remember that a real Cloudflare error is a dead end. A genuine cloudflare.com gateway error never leads to a login or payment form. If a "524" page turns into one, it was a decoy, not an error.
4. Forward the text to 7726 (SPAM) so your carrier can flag the sender.
5. Report it. File with the FTC at reportfraud.ftc.gov, with the FBI's Internet Crime Complaint Center at ic3.gov, and with the impersonated brand's real fraud or abuse contact. Include the sender, the link, and a screenshot.
6. Then delete the message.

If you already entered card details, call your bank using the number on the back of your card, freeze or lock the card in your banking app immediately, and watch your statements, since this kit exfiltrates card data in real time. If you handed over a login or personal details, change that password now and turn on two-factor authentication. Our full "I got scammed, what do I do now" walkthrough covers the first-hour playbook in detail.

Frequently asked questions

Is a Cloudflare Error 524 page a scam?

A real Cloudflare Error 524 is a genuine "connection timed out" message and is not itself a scam. The scam is when that error page is fake and acts as a decoy: it is shown to scanners and out-of-region visitors so the site looks broken, while real victims on a phone in the target country are shown a phishing login or payment form instead. The rule is simple. A real Cloudflare error is a dead end. If it turns into a login or card form, it was a costume.

Why did the link show an error on my computer but work on my phone?

That is the cloaking working as designed. The page checks whether you are on a mobile device and whether your IP is in a target country. A desktop browser, or a connection from the wrong region, is treated as not-a-victim and served the fake Error 524 page. Real phishing content is reserved for phones in the targeted countries. The mismatch is a strong sign the link is malicious.

What is cloaking in phishing?

Cloaking is showing different content to different visitors from the same URL. A phishing page detects whether the visitor looks like a real target (right device, right country, arrived from the lure) versus a scanner or researcher, and shows the harmless decoy to the latter while reserving the malicious form for the former. It is how scam pages stay off blocklists longer: the tools that would report them never see the dangerous version.

How does geofencing help the scammers?

Geofencing uses your IP address to determine your country. The phishing page only reveals itself to visitors inside the campaign's target countries and shows everyone else the Error 524 decoy. This hides the page from security teams, crawlers, and hosting abuse bots that are based elsewhere, so the domain survives longer and reaches more real victims before takedown.

Can SafeBrowz catch a page that cloaks itself?

Honestly, cloaking is hard for any tool, because the page hides its real content from anything that does not look like an in-region victim. SafeBrowz does not rely on seeing the hidden form. It leans on content-free signals that flag the destination regardless of what the page shows: a tracked brand name on a non-official or free-hosting host, a known-bad or campaign-fingerprinted domain, and reputation feeds. Those read the address and infrastructure, not the rendered page, so the Error 524 decoy has nothing to hide behind.

The page used my bank's real logo and name. Does that make it real?

No. Logos, brand names, and even a copied login layout are trivial to reproduce. The decoy and the phishing form are both just web pages a stranger built. What matters is the address it lives at. A real bank or carrier brand on a free-hosting subdomain such as brand-login.vercel.app or brand-claim.pages.dev is not that brand, no matter how perfect the logo looks. Verify only by typing the brand's own domain or opening its official app.

I entered my card on one of these pages. What now?

Act fast, because this kit steals card data in real time. Call your bank using the number on the back of your card, freeze or lock the card in your banking app, and watch your statements for unfamiliar charges. If you also entered a login, change that password and turn on two-factor authentication. Report it at reportfraud.ftc.gov and ic3.gov, and to your bank's fraud line.

How do I report one of these smishing texts?

Forward the message to 7726 (SPAM) to flag it with your carrier. File a report with the FTC at reportfraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov, including the sender, the link, and a screenshot. Report the impersonation to the real brand's fraud or abuse contact as well. Then delete the text.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge