what does cloudflare about scammers?

i send a report and the responsemail said that cloudflare will not inform me about their further work on my report. i want to get the url of his endpoint so i can sue him, or tell the police in his country. why does cloudflare not have some status-page so i can see what they have done about it. how is it even possible for the police to contact cloudflare directly to get his credentials? i think this is somehow not cool because i also had to find out how to bypass console-ban to get the url that axios was uses in his script
20 Replies
ji-podhead
ji-podheadOP10mo ago
https://community.cloudflare.com/t/i-found-a-hacker-scammer-and-they-use-cloudflare/385231 this guy asked in the forum directly and they just send him the same response i received via email. but he got his identity stolen
Chaika
Chaika10mo ago
The Trust and Safety Team isn't in this discord. I think Micheal's response in that post about covers everything. CF also isn't going to give you their real origin IP/endpoint for obvious security reasons
ji-podhead
ji-podheadOP10mo ago
ok but lets assume my identity was stolen as well, what will cloudflare do against it? will they inform the provider of his website?
Chaika
Chaika10mo ago
Keeping in mind that we're just community members and not employees, that would be a legal matter imo. You'd probably want to file a police report/whatever actions you have in your country with as much info as possible. Cloudflare wise, depending on what category you report it under you have the option to forward it to their host as well as Cloudflare
ji-podhead
ji-podheadOP10mo ago
so then cloudflare is the perfect tool for scammers. nice also: since 5 hours this phishing site is still not taken down, so i guess they dont do anything at all i think i wont use cloudflare at all. this really sucks i dont want to support a company that is helkping scammers
Chaika
Chaika10mo ago
5 hours is really small, T&S can take multiple business days I don't know if there's an average, but in my experience even for simple reports it's taken 2 business days or so before action/block. It would probably be more for more complex cases if the scam isn't obvious/depends on details. It's no simple thing/small action to determine if a website should be shut down/blocked from Cloudflare
ji-podhead
ji-podheadOP10mo ago
how small is the staff? is it like 1 person who is taking care about?
Chaika
Chaika10mo ago
There's definitely more then one person. CF is big, lots of reports, and I imagine a lot of false ones, and again it's no small action to take down a site.
ji-podhead
ji-podheadOP10mo ago
its clearly a site that was scraped and rebuild. you can tell directly by it url and i also provided the code snippets and the part of the network analysis
Chaika
Chaika10mo ago
Well if it's very obvious/you have documented it well, hopefully it is a simple case for them. for the few reports I have done against obvious scamming websites I did receive an email about T&S taking action, but again it depends. For one I didn't get anything but it did get restricted, maybe something like it was reported enough by various people they didn't email all of them/some other action, not sure exactly. Trust and Safety is completely separate from customer service and such, probably for safety reasons.
ji-podhead
ji-podheadOP10mo ago
i have not set the ticks in the abuse report, but will theys send my name to the scammer??
Chaika
Chaika10mo ago
If you did phising and malware it's unchecked by default/wouldn't do so unless you ticked it
ji-podhead
ji-podheadOP10mo ago
@Chaika hmmm but i think i can get his endpoint myself somehow. by using dns tracing. cloudflare stops all request that dont have the browser headers right? but i could use that url to runy my own app in the browser i guess. also the original domain is not the same as the one i see in the browser maybe this domain can help to trace the scammer? oh nits just a shortlink
Chaika
Chaika10mo ago
Unless they configure it as so, CF won't stop automated requests/try to block non-browsers You won't be able to find their real origin unless they misconfigured it
ji-podhead
ji-podheadOP10mo ago
but i can try to find him via his ssh certificate
ji-podhead
ji-podheadOP10mo ago
SANS Cyber Defense
YouTube
Finding Fraudsters Who Hide Behind Cloudflare
Fraudsters and other threat actors use services like Cloudflare to hide their web infrastructure and make it hard for OSINT investigators to identify the IP addresses and services that they use. This talk walks through several different OSINT techniques for identifying IP addresses and hosting arrangements hidden behind Cloudflare and how to ve...
ji-podhead
ji-podheadOP10mo ago
https://lwthiker.com/reversing/2022/02/17/curl-impersonate-firefox.html i can also impersonate firefox using curl like this. but i think i start with his ssh fingerprint
lwt hiker
Making curl impersonate Firefox
Update: The second part about impersonating Chrome is up.
ji-podhead
ji-podheadOP10mo ago
so then axios he uses on his server demands certain cors headers right? this is the cf domain he uses: clients-ses401.de does this mean his server is hosted in germany?
Chaika
Chaika10mo ago
That's not something we can help with here. Domain extension has nothing to do where a domain is hosted. All I can say is if you configure your origin right, it would be completely impossible for someone to find it behind Cloudflare, otherwise a lot of Enterprise customers would have issues. This isn't really the place to ask about circumventing Cloudflare. Let T&S do their job.
ji-podhead
ji-podheadOP10mo ago
im a computer scientist myself and if someone tries to scamm me, i wont let that happen. if hes located in germany i will sue him. i think dont cloudflare will do anything at all But why didn't he delete the website after I told him he was a scammer? because he doesn't want his CF account to be corrupted because CF assumes that if someone opens and closes a lot of domains it is fraudulent? i dont think hes creating new certs for every scamwebsite he makes, so at least i could send a bunch of absuse reports to cf to annoy them ^^ and with that in hand i can file a report to the police so they have to respond if they have servers here in germany they have to maybe it takes moonbrowser to scam the t&s like crazy to do their job. but this requires to change my ip every time right? hmm maybe ill do that i think i should write an article on reddit on how to spam the T&S team like crazy. this certificate was created with cert manager using kubernetes, so he either has its own cluster running or he uses a provider. i also write letsencrypt on how to deal with scammers
Want results from more Discord servers?
Add your server