Ethical Hacking News
Hackers have exploited a vulnerability in Webflow CDN to steal credit card information through a CAPTCHA trick. The attack targets users who click on links embedded with phishing pages, which then host real Cloudflare Turnstile CAPTCHA. Experts warn that individuals must remain vigilant and cautious when searching for documents online to avoid falling victim to such scams.
Phishing campaign targets individuals searching for documents on search engines. PDF files hosted on Webflow CDN contain a CAPTCHA image with a phishing link, tricking users into providing sensitive info. New phishing kit called Astaroth is being sold on Telegram and cybercrime marketplaces for $2,000. Astaroth uses an Evilginx-style reverse proxy to intercept login credentials and tokens. Attackers leverage CAPTCHA tricks to steal credit card information, highlighting the need for vigilance in cybersecurity.
Recently, a sophisticated phishing campaign has been uncovered, targeting individuals who are searching for documents on search engines. The attackers have created bogus PDF files hosted on the Webflow content delivery network (CDN), which contain a CAPTCHA image embedded with a phishing link. This malicious scheme allows hackers to trick users into providing sensitive information, including credit card details.
According to Netskope Threat Labs researcher Jan Michael Alcantara, the activity has been ongoing since the second half of 2024 and entails users looking for book titles, documents, and charts on search engines like Google to redirect them to PDF files hosted on Webflow CDN. These PDF files come embedded with an image that mimics a CAPTCHA challenge, causing users who click on it to be taken to a phishing page that hosts a real Cloudflare Turnstile CAPTCHA.
The attackers aim to lend the process a veneer of legitimacy by using a genuine CAPTCHA challenge, fooling victims into thinking they had interacted with a security check. However, this ploy also allows them to evade detection by static scanners. When users complete the genuine CAPTCHA challenge, they are subsequently redirected to a page that includes a "download" button to access the supposed document.
Unfortunately, when victims attempt to download the document, they are served a pop-up message asking them to enter their personal and credit card details. If the victim submits their credit card details two or three more times, they will be redirected to an HTTP 500 error page.
This development comes as SlashNext detailed a new phishing kit named Astaroth, which is advertised on Telegram and cybercrime marketplaces for $2,000 in exchange for six months of updates and bypass techniques. Like phishing-as-a-service (PhaaS) offerings, it allows cyber crooks the ability to harvest credentials and two-factor authentication (2FA) codes via bogus login pages that mimic popular online services.
According to security researcher Daniel Kelley, Astaroth utilizes an Evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services like Gmail, Yahoo, and Microsoft. Acting as a man-in-the-middle, it captures login credentials, tokens, and session cookies in real-time, effectively bypassing 2FA.
The use of CAPTCHA tricks by hackers to steal credit card information highlights the ever-evolving nature of cyber threats. As security measures become more sophisticated, hackers continue to adapt and find new ways to exploit vulnerabilities. In this case, the attackers have successfully leveraged a widely used security measure like CAPTCHA to their advantage, demonstrating the importance of staying vigilant and up-to-date with the latest security patches.
Furthermore, this incident emphasizes the need for users to be cautious when clicking on links or downloading attachments from unknown sources. Even seemingly legitimate PDF files can contain malicious links or code that can compromise user data.
In light of this recent phishing campaign, individuals are advised to exercise extreme caution when searching for documents online and to never provide sensitive information without verifying the authenticity of the request.
Related Information:
Published: Thu Feb 13 10:14:52 2025 by llama3.2 3B Q4_K_M
