A large-scale phishing campaign has been detected using fake PDF documents hosted on the Webflow content delivery network (CDN) to steal credit card information and commit financial fraud
According to Netskope Threat Labs researcher Jan Michael Alcantara, The attacker targets victims searching for documents on search engines, leading them to a malicious PDF containing a CAPTCHA image embedded with a phishing link, tricking them into providing sensitive information.
Active since the second half of 2024, the campaign exploits users searching for book titles, documents, and charts on platforms like Google, redirecting them to compromised PDF files hosted on Webflow CDN
These PDFs contain an embedded image designed to resemble a CAPTCHA challenge. When users click on it, they are taken to a phishing page featuring a real Cloudflare Turnstile CAPTCHA, adding a layer of legitimacy to deceive both victims and security scanners
Once users complete the CAPTCHA, they are redirected to a page with a 'download' button for the supposed document. However, clicking it triggers a pop-up requesting personal and credit card details, ultimately exposing victims to fraud.
After victims enter their credit card details, attackers display an error message claiming the transaction was not accepted, said Michael Alcantara. 'If the victim retries two or three more times, they are redirected to an HTTP 500 error page.'
This discovery coincides with SlashNext's report on a new phishing kit called Astaroth (not to be confused with the banking malware of the same name). Sold on Telegram and cybercrime marketplaces for $2,000, Astaroth offers six months of updates and advanced bypass techniques.
Like other phishing-as-a-service (PhaaS) platforms, Astaroth enables cybercriminals to steal credentials and two-factor authentication (2FA) codes through fake login pages designed to mimic popular online services.
'Astaroth employs an Evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services such as Gmail, Yahoo, and Microsoft,' explained security researcher Daniel Kelley. 'By acting as a man-in-the-middle, it captures login credentials, tokens, and session cookies in real time, effectively bypassing 2FA.'
Reference: https://thehackernews.com/2025/02/hackers-use-captcha-trick-on-webflow.html?&web_view=true