A widespread phishing campaign has been observed leveraging bogus PDF documents hosted on the Webflow content delivery network (CDN) to steal credit card information and commit financial fraud. "The attacker targets victims searching for documents on search engines, resulting in access to malicious PDF that contains a CAPTCHA image embedded with a phishing link, leading them to provide sensitive information," Netskope Threat Labs researcher Jan Michael Alcantara said. The activity, which has been ongoing since the second half of 2024, entails users looking for book titles, documents, and charts on search engines like Google to redirect users to PDF files hosted on Webflow CDN.
See: https://redskyalliance.org/xindustry/i-am-not-a-robot
These PDF files come embedded with an image that mimics a CAPTCHA challenge, causing users who click on it to be taken to a phishing page that, this time, hosts a real Cloudflare Turnstile CAPTCHA. In doing so, the attackers aim to lend the process a veneer of legitimacy, fooling victims into thinking that they had interacted with a security check while also evading detection by static scanners.
Users who complete the genuine CAPTCHA challenge are subsequently redirected to a page with a "download" button to access the supposed document. However, when the victims attempt to complete the step, they are served a pop-up message asking them to enter their personal and credit card details. "Upon entering credit card details, the attacker will send an error message to indicate that it was not accepted," Michael Alcantara said. "If the victim submits their credit card details two or three more times, they will be redirected to an HTTP 500 error page."
The development comes as SlashNext detailed a new phishing kit named Astaroth (not to be confused with a banking malware of the same name) that's advertised on Telegram and cybercrime marketplaces for $2,000 in exchange for six months of updates and bypass techniques. Like other Phishing-as-a-Service (PhaaS) offerings, cyber crooks can harvest credentials and two-factor authentication (2FA) codes via bogus login pages that mimic popular online services.
See: https://redskyalliance.org/xindustry/phishing-saas
"Astaroth utilizes an Evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services like Gmail, Yahoo, and Microsoft," security researcher Daniel Kelley said. "Acting as a man-in-the-middle, it captures login credentials, tokens, and session cookies in real-time, effectively bypassing 2FA."
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments