A widespread phishing campaign has been uncovered, leveraging fake PDF documents hosted on the Webflow content delivery network (CDN) to steal credit card details and commit financial fraud. The sophisticated operation, active since mid-2024, deceives victims searching for documents online by redirecting them to malicious PDFs embedded with phishing links.
How the Attack Works
According to Netskope Threat Labs researcher Jan Michael Alcantara, the attackers exploit search engine results to lure victims into accessing harmful PDF files. These PDFs contain an image mimicking a CAPTCHA challenge, tricking users into clicking on it. This click leads them to a phishing page that, unlike typical fake login pages, features a real Cloudflare Turnstile CAPTCHA to add legitimacy and evade detection by automated security scans.
Once the CAPTCHA is completed, users are taken to a webpage with a “download” button, supposedly granting access to the desired document. However, instead of delivering the file, the attackers prompt users to enter their personal and credit card details. To further manipulate victims, the phishing page generates an error message if card details are entered, encouraging them to try again. If the victim submits the information multiple times, they are redirected to an HTTP 500 error page, preventing further interaction while the attackers extract the stolen data.
The Role of Phishing-as-a-Service (PhaaS)
The discovery of this campaign coincides with the emergence of a sophisticated phishing kit named Astaroth, being sold on Telegram and cybercrime marketplaces for $2,000. Unlike basic phishing scams, Astaroth operates as a phishing-as-a-service (PhaaS) tool, providing cybercriminals with continuous updates and advanced bypass techniques for six months.
Astaroth employs an Evilginx-style reverse proxy, a method that intercepts and manipulates traffic between victims and legitimate authentication services, such as Gmail, Yahoo, and Microsoft. By acting as a middleman, the tool captures login credentials, authentication tokens, and session cookies in real time, enabling attackers to bypass even two-factor authentication (2FA) security measures.
Rising Threat of Sophisticated Phishing Tactics
The increasing use of legitimate infrastructure, such as Webflow CDN and Cloudflare Turnstile CAPTCHA, underscores a shift in phishing tactics. Attackers are no longer solely relying on fake login pages but are integrating real security mechanisms to enhance credibility and avoid detection.
This method is particularly dangerous because traditional email security filters and antivirus programs often struggle to identify such attacks, given the use of trusted third-party services. With phishing kits like Astaroth now available for sale, even low-level cybercriminals can execute high-impact scams without advanced technical knowledge.
How to Stay Safe
Cybersecurity experts urge users to be cautious when accessing documents from unverified sources. Some preventive measures include:
- Verifying sources before downloading PDFs or clicking on links.
- Avoiding entering sensitive details unless the website’s authenticity is confirmed.
- Using multi-layered security like hardware-based 2FA instead of SMS-based authentication.
- Reporting suspicious activity to cybersecurity firms or local authorities.
As phishing attacks become more sophisticated, awareness and vigilance are crucial to staying protected in an increasingly deceptive digital landscape.
Leave a comment