A wide range of phishing campaigns have been observed that leverage fake PDF documents hosted on WebFlow Content Delivery Network (CDN) with the aim of stealing credit card information and committing financial fraud.
“Attackers will target victims searching search engine documents, provide access to malicious PDFs containing Captcha images with embedded phishing links, and provide sensitive information.”
This activity has been in progress since the second half of 2024, redirecting users to PDF files hosted on WebFlow CDN for users looking for book titles, documents and charts in search engines like Google. It involves that.
These PDF files have images embedding that mimic the Captcha challenge, bringing the user clicking onto the phishing page, this time hosting the actual CloudFlare TurnStile Captcha.
In doing so, the attacker lends the process to a veneer of legitimacy, thinks that he has tricked the victim into interacting with security checks, and aims to avoid detection by a static scanner.
Users completing the real Captcha Challenge will then be redirected to a page containing a “download” button to access the expected documents. However, when the victim tries to complete the step, they will be provided with a pop-up message asking them to enter their personal and credit card details.
“When you enter your credit card details, the attacker will send you an error message indicating that it is not accepted,” Michael Alcantara said. “If the victim submits his credit card details two or three more times, he will be redirected to the HTTP 500 error page.”
Developments include $2,000 in exchange for six months updates and bypass technology in the telegram and cybercrime market, as Slashnext details a new phishing kit named Astaroth (not to be confused with bank malware of the same name). is advertised in.
Similar to offering Phishing-as-a-Service (PHAAS), Cyber Crooks harvests credentials and two-factor authentication (2FA) codes via the Bogus login page, which mimics popular online services. Enables functionality.
“Astaroth utilizes Evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services such as Gmail, Yahoo, Microsoft,” said security researcher Daniel Kelley states. “It acts as a middle man, captures login credentials, tokens and session cookies in real time, effectively bypassing 2FA.”
Source link
