A far-reaching phishing ploy has surfaced, exploiting counterfeit PDF documents strategically hosted on the Webflow content delivery network (CDN) to pilfer financial credentials and perpetrate fraudulent transactions.
“Threat actors are leveraging search engine queries to lure unsuspecting users into accessing malicious PDFs, which harbor an embedded CAPTCHA image concealing a deceptive link, coercing them into divulging sensitive financial data,” remarked Jan Michael Alcantara, a researcher at Netskope Threat Labs.
This nefarious scheme, active since mid-2024, manipulates individuals searching for various resources—books, charts, or documents—by steering them toward PDFs hosted on Webflow’s CDN.
The deceptive PDF files integrate a visually authentic CAPTCHA prompt, tricking users into clicking on the embedded image. Upon interaction, they are funneled to a phishing portal where a Cloudflare Turnstile CAPTCHA is actually present.
By embedding a legitimate CAPTCHA mechanism, attackers fabricate a false sense of credibility, lulling victims into compliance while eluding detection by rudimentary security scanners.
Upon successfully solving the CAPTCHA, victims are rerouted to a fraudulent document download page. However, initiating the download triggers a deceptive pop-up message, coercing them into inputting personal and credit card details.
“Should a victim input their credit card credentials, an error prompt falsely indicates that the transaction was unsuccessful,” Alcantara elaborated. “If the victim reattempts entry multiple times, they are ultimately led to an HTTP 500 error page, terminating the interaction while the attackers harvest the submitted details.”
This discovery coincides with SlashNext’s revelation of a phishing framework dubbed Astaroth, which is peddled in underground cybercrime circles, particularly on Telegram, at a price of $2,000 for a six-month subscription, inclusive of evasion techniques and periodic updates.
Operating under the Phishing-as-a-Service (PhaaS) model, Astaroth empowers cybercriminals to exfiltrate login credentials and intercept two-factor authentication (2FA) codes via meticulously crafted counterfeit login interfaces mimicking popular platforms.
“Astaroth employs an Evilginx-style reverse proxy to intercept and manipulate communication between victims and genuine authentication services, such as Gmail, Yahoo, and Microsoft,” explained cybersecurity analyst Daniel Kelley. “By executing a man-in-the-middle attack, it siphons login credentials, session cookies, and authentication tokens in real-time, effectively circumventing 2FA security layers.”
