Introduction A sophisticated phishing campaign has been identified, leveraging fraudulent PDF documents hosted on the Webflow content delivery network (CDN) to steal credit card details and perpetrate financial fraud. This campaign, which has been active since the latter half of 2024, employs deceptive techniques to lure unsuspecting users into providing sensitive information under the guise of downloading legitimate documents.
Tactics and Execution Cybercriminals orchestrating this campaign target users who search for documents, book titles, and charts on popular search engines such as Google. Upon clicking on the search results, victims are redirected to malicious PDF files hosted on Webflow CDN. These files contain an embedded image simulating a CAPTCHA challenge, prompting users to engage with what appears to be a routine security check.
Unlike conventional phishing attempts, this method incorporates a legitimate Cloudflare Turnstile CAPTCHA to enhance credibility and evade detection. Once users complete this authentication step, they are redirected to a page featuring a "download" button, ostensibly granting access to the desired document. However, when users attempt to proceed, they are met with a pop-up message requesting their personal and financial details, including credit card information.
Fraudulent Credit Card Collection Process Security researchers have determined that once victims enter their credit card details, the attackers generate an error message stating that the transaction was unsuccessful. This tactic is designed to persuade users to re-enter their details multiple times. If victims attempt this step more than twice, they are ultimately redirected to an HTTP 500 error page, leaving them unaware that their financial information has been compromised.
Emergence of the Astaroth Phishing Kit This development coincides with the rise of a new phishing toolkit named Astaroth, which has been documented by cybersecurity firm SlashNext. Astaroth is marketed on Telegram and various cybercrime marketplaces for $2,000, offering six months of updates and advanced evasion techniques.
Similar to other phishing-as-a-service (PhaaS) platforms, Astaroth enables cybercriminals to harvest login credentials and two-factor authentication (2FA) codes through counterfeit login pages resembling those of popular services such as Gmail, Yahoo, and Microsoft. The toolkit employs an Evilginx-style reverse proxy mechanism to intercept and manipulate communication between victims and legitimate authentication services. This method allows attackers to capture login credentials, tokens, and session cookies in real-time, effectively bypassing 2FA security measures.
Conclusion The increasing sophistication of phishing campaigns underscores the need for heightened vigilance among internet users. By employing advanced tactics such as CAPTCHA verification and real-time interception of authentication credentials, cybercriminals continue to refine their fraudulent schemes. Organizations and individuals must remain cautious when accessing documents from unverified sources and implement robust security measures, including multi-factor authentication and web filtering solutions, to mitigate the risks posed by such evolving cyber threats.
0 Comments