Netskope Threat Labs has uncovered a sophisticated phishing campaign targeting users across various industries, including technology, manufacturing, and banking.
This campaign, active since mid-2024, exploits search engine optimization (SEO) techniques to lure victims into downloading malicious PDFs hosted on the Webflow Content Delivery Network (CDN).
These PDFs are embedded with fake CAPTCHA images that redirect users to phishing websites designed to steal sensitive information such as credit card details, email addresses, and names.
Attack Mechanism
The attackers leverage search engines to target victims searching for documents, charts, or book titles.
Malicious PDF files containing multiple search keywords appear in the results, increasing the likelihood of user interaction.
Once opened, these PDFs display a fake CAPTCHA image embedded with a phishing link.
When users click on the CAPTCHA button, they are redirected to a legitimate Cloudflare Turnstile CAPTCHA.
This deceptive step creates an illusion of authenticity and further convinces victims that the process is secure.
After completing the Cloudflare CAPTCHA, victims are redirected to a forum offering a file named after their original search query.
To download this file, victims are required to sign up by providing personal information such as their email address and full name.
Subsequently, they are asked to enter their credit card details under the pretense of completing the process.
Even after multiple submissions of credit card details, an error message appears, followed by a redirection to an HTTP 500 error page.
Key Findings
This campaign is notable for its innovative use of legitimate services like Webflow CDN and Cloudflare CAPTCHA to mask malicious intent.
By embedding phishing links within fake CAPTCHAs and redirecting users through real security checks, attackers effectively bypass static scanners and other detection mechanisms.
The top targeted regions include North America, Asia, and Southern Europe.
The phishing scheme highlights the growing sophistication of cybercriminals in exploiting trusted platforms for malicious purposes.
Organizations are advised to educate their employees about such tactics and implement robust security solutions to detect and mitigate these threats.
Netskope’s Response
Netskope Advanced Threat Protection has identified several indicators of compromise (IOCs) associated with this campaign and offers proactive coverage against these threats.
The company has reported the malicious URLs to Webflow for takedown as part of its ongoing efforts to combat cybercrime.
Netskope Threat Labs continues to monitor this campaign closely and urges organizations to remain vigilant against similar attacks that exploit legitimate platforms for phishing activities.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
