With the intention to steal credit card data and engage in financial fraud, a common phishing strategy has been discovered using fictitious PDF files hosted on the content delivery system ( CDN).
According to Jan Michael Alcantara, a scientist with Netskope Threat Labs, the intruder targets victims who search for documents on search engines, giving them access to a harmful Document that contains a CAPTCHA picture embedded with a spoofing link, leading them to give sensitive information.
The engagement, continued since the second half of 2024, entails people looking for book titles, papers, and charts on search engines like Google to redirect users to PDF files hosted on Webflow CDN.
Users who click on the PDF files ‘ embedded image, which resembles a CAPTCHA problem, are then directed to a phishing website that, this time, hosts a true Cloudflare Turnstile CAPTCHA, which is embedded in the PDF files.
In doing so, the attackers are trying to give the process a facade of legitimacy, deceiving victims into believing they had engaged in a safety check and also avoiding detection with stable scanners.
Users who successfully complete the authentic CAPTCHA problem are then directed to a site with a “download” button to download the allegedly submitted document. Nevertheless, when the victims try to finish the step, they are given a pop-up text asking them to provide their personal and credit card information.
The attacker may give an error message indicating that credit card information was not being accepted, according to Michael Alcantara. The victim may get redirected to an HTTP 500 error page if they provide their credit card information two or three more days.
The development comes as SlashNext revealed a new phishing kit called Astaroth ( not to be confused with a of the same name ) that was sold on Telegram and cybercrime marketplaces for$ 2,000 in exchange for six-months of updates and bypass techniques.
Like phishing-as-a-service ( ) offerings, it allows cyber crooks the ability to harvest credentials and two-factor authentication ( 2FA ) codes via bogus login pages that mimic popular online services.
Protection researcher Daniel Kelley described Astaroth as using a reverse proxy in the vein of to catch and control traffic between victims and genuine authentication services like Gmail, Yahoo, and Microsoft. ” Acting as a man-in-the-middle, it captures login certificates, tokens, and treatment cookies in real time, essentially bypassing 2FA”.