Cyber Security News

New Phishing Attacks Abuses Webflow CDN & CAPTCHAs to Steal Credit Card details

Netskope Threat Labs has uncovered a sophisticated phishing campaign targeting users across various industries, including technology, manufacturing, and banking.

This campaign, active since mid-2024, exploits search engine optimization (SEO) techniques to lure victims into downloading malicious PDFs hosted on the Webflow Content Delivery Network (CDN).

These PDFs are embedded with fake CAPTCHA images that redirect users to phishing websites designed to steal sensitive information such as credit card details, email addresses, and names.

Attack Mechanism

The attackers leverage search engines to target victims searching for documents, charts, or book titles.

Malicious PDF files containing multiple search keywords appear in the results, increasing the likelihood of user interaction.

PDF containing search search engine keywords

Once opened, these PDFs display a fake CAPTCHA image embedded with a phishing link.

When users click on the CAPTCHA button, they are redirected to a legitimate Cloudflare Turnstile CAPTCHA.

This deceptive step creates an illusion of authenticity and further convinces victims that the process is secure.

After completing the Cloudflare CAPTCHA, victims are redirected to a forum offering a file named after their original search query.

To download this file, victims are required to sign up by providing personal information such as their email address and full name.

Subsequently, they are asked to enter their credit card details under the pretense of completing the process.

Even after multiple submissions of credit card details, an error message appears, followed by a redirection to an HTTP 500 error page.

Key Findings

This campaign is notable for its innovative use of legitimate services like Webflow CDN and Cloudflare CAPTCHA to mask malicious intent.

By embedding phishing links within fake CAPTCHAs and redirecting users through real security checks, attackers effectively bypass static scanners and other detection mechanisms.

The top targeted regions include North America, Asia, and Southern Europe.

The phishing scheme highlights the growing sophistication of cybercriminals in exploiting trusted platforms for malicious purposes.

Organizations are advised to educate their employees about such tactics and implement robust security solutions to detect and mitigate these threats.

Netskope’s Response

Netskope Advanced Threat Protection has identified several indicators of compromise (IOCs) associated with this campaign and offers proactive coverage against these threats.

The company has reported the malicious URLs to Webflow for takedown as part of its ongoing efforts to combat cybercrime.

Netskope Threat Labs continues to monitor this campaign closely and urges organizations to remain vigilant against similar attacks that exploit legitimate platforms for phishing activities.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant traction…

5 hours ago

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which is…

5 hours ago

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion tools,…

5 hours ago

MassJacker Clipper Malware Targets Users Installing Pirated Software

A recent investigation has uncovered previously unknown cryptojacking malware, dubbed MassJacker, which primarily targets users…

5 hours ago

SocGholish Exploits Compromised Websites to Deliver RansomHub Ransomware

SocGholish, a sophisticated malware-as-a-service (MaaS) framework, has been identified as a key enabler in the…

5 hours ago

New Steganographic Malware Hides in JPG Files to Deploy Multiple Password Stealers

A recent cybersecurity threat has emerged in the form of a steganographic campaign that uses…

5 hours ago