Cyber security news for all

More

    Cybercriminals Exploit Webflow to Entice Users into Surrendering Sensitive Login Details

    Cybersecurity specialists have identified a surge in phishing attempts via the website builder Webflow, as attackers leverage authentic platforms such as Cloudflare and Microsoft Sway to further their malicious agendas.

    “These campaigns seek confidential information from various cryptocurrency wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as credentials for corporate email platforms and Microsoft 365 logins,” observed Jan Michael Alcantara, a researcher at Netskope Threat Labs.

    Netskope reported a staggering tenfold increase in traffic to phishing pages created through Webflow between April and September 2024, with more than 120 targeted organizations spanning North America and Asia in industries like finance, banking, and technology.

    Threat actors use Webflow to both host standalone phishing sites and redirect unsuspecting users to additional pages under their influence. Alcantara noted, “The first option grants attackers simplicity and subtlety, while the latter offers adaptability for carrying out more intricate tactics.”

    A notable advantage of Webflow over Cloudflare R2 or Microsoft Sway lies in its ability to generate custom subdomains at no extra cost, unlike the auto-generated, randomized alphanumeric subdomains that may trigger suspicion:

    • Cloudflare R2 – https://pub-<32_alphanumeric_string>.r2.dev/webpage.htm
    • Microsoft Sway – https://sway.cloud.microsoft/{16_alphanumeric_string}?ref={sharing_option}

    To heighten the chances of duping victims, attackers design phishing pages that mimic legitimate login pages, tricking users into divulging credentials, which are then, in certain cases, forwarded to a different server.

    Netskope also identified crypto-phishing Webflow pages that simulate legitimate wallet landing pages with screenshots of actual homepages, redirecting users to scam sites when they click on the counterfeit page.

    The overarching goal of these phishing attacks is to capture victims’ seed phrases, enabling attackers to seize control of cryptocurrency wallets and drain assets. In cases observed by the security firm, users who entered their recovery phrases encountered an error message warning of account suspension due to “unauthorized activity and identification failure,” directing them to contact support through an online chat on Tawk.to.

    It’s worth noting that platforms like LiveChat, Tawk.to, and Smartsupp have been exploited in a similar cryptocurrency scam known as CryptoCore, according to Avast.

    “Users should prioritize typing URLs for crucial sites like banking or email portals directly into the browser rather than relying on search results or external links,” Alcantara emphasized.

    Simultaneously, the rise of anti-bot services marketed on the dark web poses another challenge, with these tools claiming to sidestep Google’s Safe Browsing warnings in Chrome. SlashNext reports that “services like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot have become essential tools in sophisticated phishing campaigns, concealing phishing pages from security crawlers.”

    “By filtering out cybersecurity bots, these tools elongate the viability of malicious sites, helping criminals evade detection for longer periods,” SlashNext added.

    Moreover, persistent malspam and malvertising campaigns have introduced an evolving malware strain, WARMCOOKIE (also known as BadSpace), which serves as a bridge for other malicious payloads such as CSharp-Streamer-RAT and Cobalt Strike.

    “WarmCookie offers adversaries a suite of capabilities including payload deployment, file manipulation, command execution, screenshot capture, and persistence, which makes it appealing for extended presence in compromised networks,” Cisco Talos revealed.

    An examination of WarmCookie’s source code suggests links to the developers behind Resident, a post-compromise implant associated with an intrusion set called TA866 (also known as Asylum Ambuscade), alongside the Rhadamanthys information stealer. These campaigns have disproportionately targeted the manufacturing sector, followed by government and financial institutions.

    “While the broader distribution of these campaigns remains largely indiscriminate, a significant portion of follow-on payload instances were documented in the U.S., with additional incidents across Canada, the U.K., Germany, Italy, Austria, and the Netherlands,” Talos reported.

    Recent Articles

    Related Stories