Summary: A new trend in phishing has emerged, where generic phishing pages dynamically impersonate brands like Google and Microsoft by generating fake login screens tailored to the victim’s email domain. These pages misuse platforms like Cloudflare’s Workers.dev and Thum.io to create convincing imitations, ultimately leading to credential theft. Attackers capture user credentials sent to a remote endpoint while employing obfuscated JavaScript to evade detection.
Affected: Businesses and individuals, especially users of platforms like Google and Microsoft
Keypoints :
- Phishing pages can impersonate any brand dynamically based on the victim’s email domain.
- Attackers generate fake login screens using Thum.io to take screenshots of legitimate brand websites.
- Credential information is exfiltrated to a remote endpoint controlled by the attackers.
- The phishing scripts are hosted on a variety of platforms, including Cloudflareβs R2 and the Web3 blockchain.
- Obfuscated JavaScript is used to evade detection, but it’s relatively easy to deobfuscate.
Source: https://securityonline.info/new-phishing-trend-generic-pages-impersonate-any-brand/