A widespread phishing campaign is targeting Netskope customers, siphoning credit card and personal information through malicious PDFs hosted on Webflow’s CDN. Attackers use search engine optimization to lure victims into downloading these PDFs, which contain fake CAPTCHA images that redirect users to phishing sites. Affected: Netskope customers, users of search engines, Technology, Manufacturing, Banking sectors
Keypoints :
- Ongoing phishing campaign since the second half of 2024.
- Targets victims searching for documents on search engines.
- Malicious PDFs hosted on Webflow CDN contain CAPTCHA images with phishing links.
- Attackers utilize SEO to ensure PDFs appear in relevant search results.
- Victims are misled into believing their inputted credit card information was not accepted, leading to multiple attempts.
- Attackers employ Cloudflare Turnstile CAPTCHA to discourage detection by static scanners.
- Netskope Threat Labs is actively monitoring this phishing threat.
MITRE Techniques :
- Phishing (T1566): Attackers use malicious PDFs with embedded phishing links disguised as CAPTCHA images to steal user credentials.
- Credential Dumping (T1003): Victims are tricked into providing their credit card information and personal data through deceptive sign-up prompts.
- Search Engine Optimization (T0350): Phishing PDFs are optimized to appear in search results when users look for documents or other targeted keywords.
Indicator of Compromise :
- [URL] assets.website-files[.]com
- [IoC Type] Phishing PDF associated with malicious links
- [IoC Type] fake CAPTCHA images embedded in PDFs
Full Story: https://www.netskope.com/blog/new-phishing-campaign-abuses-webflow-seo-and-fake-captchas