A large-scale phishing campaign has been detected, utilizing fake PDF documents hosted on the Webflow content delivery network (CDN) to steal credit card information and commit financial fraud.
“The attackers target individuals searching for documents on search engines, leading them to access malicious PDFs containing a CAPTCHA image embedded with a phishing link, prompting them to provide sensitive information,” according to Netskope Threat Labs researcher Jan Michael Alcantara.
This ongoing activity, which started in the second half of 2024, involves users searching for book titles, documents, and charts on search engines like Google, redirecting them to PDF files hosted on Webflow CDN.
These PDF files contain an image that mimics a CAPTCHA challenge, and when clicked, users are taken to a phishing page hosting a genuine Cloudflare Turnstile CAPTCHA, aiming to legitimize the process and evade detection by static scanners.
After completing the CAPTCHA challenge, users are redirected to a page with a “download” button to access the supposed document. However, when attempting to complete the step, they are prompted to enter their personal and credit card details via a pop-up message.
“Upon entering credit card details, the attacker sends an error message indicating that it was not accepted,” Michael Alcantara explained. “If the victim submits their credit card details two or three more times, they will be redirected to an HTTP 500 error page.”
This development comes as SlashNext detailed a new phishing kit named Astaroth, advertised on Telegram and cybercrime marketplaces for $2,000, including six months of updates and bypass techniques.
Similar to other phishing-as-a-service (PhaaS) offerings, Astaroth allows cyber crooks to harvest credentials and two-factor authentication (2FA) codes via fake login pages mimicking popular online services.
“Astaroth uses an Evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services like Gmail, Yahoo, and Microsoft,” security researcher Daniel Kelley explained. “Acting as a man-in-the-middle, it captures login credentials, tokens, and session cookies in real-time, effectively bypassing 2FA.”
