A recent phishing assault has emerged, allegedly utilizing counterfeit PDF documents hosted on the Webflow content delivery network (CDN) with the aim of capturing credit card data and executing financial fraud. This operation specifically targets individuals searching for academic materials or documents through search engines.
According to Netskope Threat Labs researcher Jan Michael Alcantara, the attackers are adept at driving unsuspecting users from search query results directly to compromised PDF files. These files contain an embedded CAPTCHA image equipped with a phishing hyperlink, prompting users to divulge sensitive details.
Since mid-2024, this malicious activity has capitalized on users searching for book titles and other relevant documents online. Victims are subsequently redirected to PDF files that contain a deceptive CAPTCHA image. When users interact with this image, it directs them to a phishing site that features an authentic Cloudflare Turnstile CAPTCHA, further misleading them into believing they are completing a legitimate security check while avoiding detection by static scanning tools.
Upon responding to the genuine CAPTCHA challenge, victims are presented with what seems to be a download link for their desired document. However, clicking this link leads to a pop-up prompting the entry of personal and credit card information, thereby exposing them to significant risk.
As highlighted by Alcantara, the scammers respond to input errors with a messaging system designed to discourage users from ceasing their attempts to input credit card information. A common result after multiple failed attempts is the user being redirected to an HTTP 500 error page. This manipulation tactic keeps victims engaged while intent on decrypting their financial credentials.
In a related development, SlashNext has reported on a distinct phishing framework called Astaroth, marketed on Telegram and other dark web platforms for $2,000, promising updates and cutting-edge evasion tactics for six months. This phishing kit, which should not be confused with a banking malware of the same name, is part of a burgeoning trend of phishing-as-a-service (PhaaS) offerings that empower cybercriminals to harvest login credentials, including two-factor authentication (2FA) codes.
Remarkably, Astaroth employs an Evilginx-style reverse proxy, which allows adversaries to intercept and manipulate traffic between victims and legitimate platforms like Gmail and Microsoft. This man-in-the-middle approach facilitates real-time capture of logging data, session cookies, and tokens, effectively bypassing even sophisticated 2FA protections.
