Cybersecurity researchers are warning of a surge in phishing pages created using a website builder tool called Webflow, as threat actors continue to abuse legitimate services such as Cloudflare and Microsoft Sway for your benefit.
“Companies targeted sensitive information from various crypto wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as login credentials for several of the company’s webmail platforms, as well as Microsoft 365 login credentials,” said Netskope Threat Labs researcher Ian Michael Alcantara. said in the analysis.
The cybersecurity company said it tracked a 10-fold increase in traffic to phishing pages created using Webflow between April and September 2024, with attacks targeting more than 120 organizations worldwide. Most are located in North America and Asia, spanning the financial services, banking and technology sectors.
Attackers have been seen using Webflow to create standalone phishing pages as well as redirect unsuspecting users to other phishing pages under their control.
“The former provides attackers with stealth and ease because there are no phishing lines of code to write and detect, while the latter gives the attacker the flexibility to perform more sophisticated actions as needed,” said Michael Alcantara.
What makes Webflow much more attractive than Cloudflare R2 or Microsoft Sway is that it allows users to create their own subdomains at no additional cost, as opposed to automatically generated random alphanumeric subdomains that can be suspicious –
- Cloudflare R2 – https://pub-<32_alphanumeric_string>.r2.dev/webpage.htm
- Microsoft Sway – https://sway.cloud.microsoft/{16_alphanumeric_string}?ref={sharing_option}
In an attempt to increase the likelihood of attack success, phishing pages are designed to mimic the login pages of their legitimate counterparts in order to trick users into providing their credentials, which are then, in some cases, forwarded to another server.
Netskope said it has also identified Webflow crypto scam websites that use a screenshot of a legitimate wallet homepage as their own landing pages and redirect the visitor to the scammer’s real site after clicking anywhere on the fake site.
The ultimate goal of a crypto-phishing campaign is to steal the victim’s initial phrases, allowing attackers to seize control of cryptocurrency wallets and drain the funds.
In the attacks identified by the cybersecurity firm, users who ended up entering a recovery phrase displayed an error message stating that their account had been suspended due to “unauthorized activity and authentication failure.” The message also prompts the user to contact their support team by initiating an online chat at tawk.to.
Notably, chat services such as LiveChat, Tawk.to and Smartsupp have been misused in a cryptocurrency fraud campaign dubbed CryptoCore from Avast.
“Users should always access important pages, such as a banking portal or webmail, by entering the URL directly into the web browser instead of using search engines or clicking any other links,” said Michael Alcantara.
It comes at a time when cybercriminals are promoting new anti-bot services on the dark web that claim to bypass Google services. Safe Browsing Warnings in the Chrome web browser.
“Anti-bot services like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot have become a cornerstone of sophisticated phishing operations,” SlashNext said in a recent report. “These services aim to prevent security scanners from identifying phishing pages and blocking them.”
“By filtering out cyber security bots and masking phishing pages from scanners, these tools extend the life of malicious sites, helping criminals evade detection for longer.”
Unsolicited and advertising campaigns are also conducted revealed the spread of actively developing malicious programs called HOT COOKIES (aka BadSpace), which then acts as a conduit for malware such as CSharp-Streamer-RAT and Cobalt Strike.
“WarmCookie offers a variety of useful features to adversaries, including payload deployment, file manipulation, command execution, screenshot collection, and persistence, making it attractive for use on systems after initial access to facilitate long-term persistent access in compromised network environments. ,” Cisco Talos said.
Analysis of the source code suggests that the malware is likely developed by the same threat actors as Resident, a post-compromise implant installed as part of an intrusion kit called TA866 (aka Asylum Ambuscade), along with information stealer Rhadamanthys. These companies highlighted the manufacturing sector, followed by government and financial services.
“While the long-term targeting associated with distribution campaigns appears to be erratic, most of the observed payloads have been in the United States, with additional cases spread across Canada, the United Kingdom, Germany, Italy, Austria, and the Netherlands. , “Talos said.
