Cybercriminals Use Webflow to Deceive Customers into Sharing Delicate Login Credentials
Cybersecurity researchers have warned of a spike in phishing pages created utilizing a web site builder software known as Webflow, as risk actors proceed to abuse authentic companies like Cloudflare and Microsoft Sway to their benefit.
“The campaigns goal delicate info from completely different crypto wallets, together with Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, in addition to login credentials for a number of firm webmail platforms, in addition to Microsoft 365 login credentials,” Netskope Risk Labs researcher Jan Michael Alcantara said in an evaluation.
The cybersecurity firm mentioned it tracked a 10-fold enhance in visitors to phishing pages crafted utilizing Webflow between April and September 2024, with the assaults concentrating on greater than 120 organizations internationally. A majority of these focused are situated in North America and Asia spanning monetary companies, banking, and know-how sectors.
The attackers have been noticed utilizing Webflow to create standalone phishing pages, in addition to to redirect unsuspecting customers to different phishing pages underneath their management.
“The previous gives attackers stealth and ease as a result of there are not any phishing traces of code to jot down and detect, whereas the latter provides flexibility to the attacker to carry out extra advanced actions as required,” Michael Alcantara mentioned.
What makes Webflow much more interesting than Cloudflare R2 or Microsoft Sway is that it permits customers to create customized subdomains at no further price, versus auto-generated random alphanumeric subdomains which are inclined to lift suspicion –
- Cloudflare R2 – https://pub-<32_alphanumeric_string>.r2.dev/webpage.htm
- Microsoft Sway – https://sway.cloud.microsoft/{16_alphanumeric_string}?ref={sharing_option}
In an try to extend the chance of success of the assault, the phishing pages are designed to imitate the login pages of their authentic counterparts with the intention to deceive customers into offering their credentials, that are then exfiltrated to a distinct server in some cases.
Netskope mentioned it additionally recognized Webflow crypto rip-off web sites that use a screenshot of a authentic pockets homepage as their very own touchdown pages and redirect the customer to the precise rip-off website upon clicking wherever on the bogus website.
The tip purpose of the crypto-phishing marketing campaign is to steal the sufferer’s seed phrases, permitting the attackers to hijack management of the cryptocurrency wallets and drain funds.
Within the assaults recognized by the cybersecurity agency, customers who find yourself offering the restoration phrase are displayed an error message stating their account has been suspended because of “unauthorized exercise and identification failure.” The message additionally prompts the person to contact their help workforce by initiating a web-based chat on tawk.to.
It is price noting that chat companies similar to LiveChat, Tawk.to, and Smartsupp have been misused as a part of a cryptocurrency rip-off marketing campaign dubbed CryptoCore by Avast.
“Customers ought to at all times entry essential pages, similar to their banking portal or webmail, by typing the URL straight into the net browser as a substitute of utilizing serps or clicking another hyperlinks,” Michael Alcantara mentioned.
The event comes as cybercriminals are promoting novel anti-bot companies on the darkish net that declare to bypass Google’s Safe Browsing warnings on the Chrome net browser.
“Anti-bot companies, like Otus Anti-Bot, Take away Crimson, and Limitless Anti-Bot, have turn out to be a cornerstone of advanced phishing operations,” SlashNext said in a latest report. “These companies goal to forestall safety crawlers from figuring out phishing pages and blocklisting them.”
“By filtering out cybersecurity bots and disguising phishing pages from scanners, these instruments lengthen the lifespan of malicious websites, serving to criminals evade detection longer.”
Ongoing malspam and malvertising campaigns have additionally been discovered propagating an actively-evolving malware known as WARMCOOKIE (aka BadSpace), which then acts as a conduit for malware similar to CSharp-Streamer-RAT and Cobalt Strike.
“WarmCookie presents a wide range of helpful performance for adversaries together with payload deployment, file manipulation, command execution, screenshot assortment and persistence, making it enticing to make use of on methods as soon as preliminary entry has been gained to facilitate longer-term, persistent entry inside compromised community environments,” Cisco Talos said.
An evaluation of the supply code means that the malware is probably going developed by the identical risk actors as Resident, a post-compromise implant deployed in as a part of an intrusion set dubbed TA866 (aka Asylum Ambuscade), alongside the Rhadamanthys info stealer. These campaigns have singled out the manufacturing sector, adopted intently by authorities and monetary companies.
“Whereas long-term concentrating on related to the distribution campaigns seems indiscriminate, a lot of the circumstances the place follow-on payloads have been noticed had been in the US, with further circumstances unfold throughout Canada, United Kingdom, Germany, Italy, Austria and the Netherlands,” Talos said.