Schließen
Schließen
Ihr Netzwerk von morgen
Ihr Netzwerk von morgen
Planen Sie Ihren Weg zu einem schnelleren, sichereren und widerstandsfähigeren Netzwerk, das auf die von Ihnen unterstützten Anwendungen und Benutzer zugeschnitten ist.
          Erleben Sie Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            Ein führendes Unternehmen im Bereich SSE. Jetzt ein führender Anbieter von SASE.
            Ein führendes Unternehmen im Bereich SSE. Jetzt ein führender Anbieter von SASE.
            Netskope debütiert als Leader im Gartner ® Magic Quadrant ™ für Single-Vendor SASE
              Generative KI für Dummies sichern
              Generative KI für Dummies sichern
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Moderne Data Loss Prevention (DLP) für Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modernes SD-WAN für SASE Dummies-Buch
                  Modern SD-WAN for SASE Dummies
                  Hören Sie auf, mit Ihrer Netzwerkarchitektur Schritt zu halten
                    Verstehen, wo die Risiken liegen
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        Die 6 überzeugendsten Anwendungsfälle für den vollständigen Ersatz älterer VPNs
                        Die 6 überzeugendsten Anwendungsfälle für den vollständigen Ersatz älterer VPNs
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive schützt sein "geistiges Eigentum" mit intelligentem und anpassungsfähigem Datenschutz
                          Colgate-Palmolive schützt sein "geistiges Eigentum" mit intelligentem und anpassungsfähigem Datenschutz
                            Netskope GovCloud
                            Netskope erhält die FedRAMP High Authorization
                            Wählen Sie Netskope GovCloud, um die Transformation Ihrer Agentur zu beschleunigen.
                              Let's Do Great Things Together
                              Die partnerorientierte Markteinführungsstrategie von Netskope ermöglicht es unseren Partnern, ihr Wachstum und ihre Rentabilität zu maximieren und gleichzeitig die Unternehmenssicherheit an neue Anforderungen anzupassen.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Technischer Support von Netskope
                                  Technischer Support von Netskope
                                  Überall auf der Welt sorgen unsere qualifizierten Support-Ingenieure mit verschiedensten Erfahrungen in den Bereichen Cloud-Sicherheit, Netzwerke, Virtualisierung, Content Delivery und Software-Entwicklung für zeitnahen und qualitativ hochwertigen technischen Support.
                                    Netskope-Video
                                    Netskope-Schulung
                                    Netskope-Schulungen helfen Ihnen, ein Experte für Cloud-Sicherheit zu werden. Wir sind hier, um Ihnen zu helfen, Ihre digitale Transformation abzusichern und das Beste aus Ihrer Cloud, dem Web und Ihren privaten Anwendungen zu machen.

                                      New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs

                                      Feb 12 2025

                                      Summary

                                      Netskope Threat Labs is tracking a widespread phishing campaign affecting hundreds of Netskope customers and thousands of users. The campaign aims to steal credit card information to commit financial fraud, and has been ongoing since the second half of 2024. The attacker targets victims searching for documents on search engines, resulting in access to malicious PDF that contains a CAPTCHA image embedded with a phishing link, leading them to provide sensitive information. All malicious PDFs are hosted on the Webflow CDN.

                                      CategoryDescription
                                      HostingWebflow
                                      Domainassets.website-files[.]com
                                      Top targeted industriesTechnology, Manufacturing, and Banking
                                      Top targeted regionsNorth America, Asia, and Southern Europe
                                      Information targetedCredit card information, email address, first and last name.
                                      Attack vectorSearch engines

                                      Search engine serving phishing PDFs

                                      The phishing campaign Netskope Threat Labs has been tracking abuses Webflow CDN to host malicious PDFs. While Webflow offers CDN storage for customer assets, this service is misused to store malicious PDF files. These PDFs appear in search engine results when victims search targeted keywords, such as book titles, documents and charts. The PDF files contain multiple targeted keywords that victims are likely to search for. The malicious PDF files are used to redirect users to phishing websites using fake CAPTCHA images.

                                      Phishing PDFs as a search result
                                      PDF containing search search engine keywords

                                      Phishing link embedded in CAPTCHA

                                      Netskope Threat Labs recently reported a malware campaign using a deceptive CAPTCHA technique to trick victims into running malicious scripts. This time, attackers use CAPTCHA for phishing by embedding the phishing URL in a CAPTCHA image inside the malicious PDF file, redirecting users to phishing pages when they attempt to solve the challenge. 

                                      Ironically, when you click the CAPTCHA button, you will be redirected to an actual Cloudflare Turnstile CAPTCHA. This creates the illusion that the original fake CAPTCHA was real, potentially tricking victims into believing they’re interacting with a genuine security check. Like with previously reported phishing campaigns, attackers are known to hide their phishing pages under CAPTCHAs to avoid being detected by static scanners.

                                      After completing the Cloudflare CAPTCHA, they are redirected to a forum where a file is offered, named after the search engine keyword they used to find the site.

                                      When the victim attempts to download the document, they will be asked to sign up for their page, providing their email address and first and last name.

                                      To complete the sign up process, the victim is then asked for their credit card details. Upon entering credit card details, the attacker will send an error message to indicate that it was not accepted. If the victim submits their credit card details two or three more times, they will be redirected to an HTTP 500 error page.

                                      Error message when submitting credit card details two or three times.

                                      Conclusion

                                      Attackers are targeting victims searching for documents on search engines to siphon away their financial and personal information. They use SEO techniques to lead victims into accessing malicious PDF files hosted on the Webflow CDN, which contain a fake CAPTCHA image. Attackers embed phishing links into the fake CAPTCHA image to redirect victims to the phishing website. They use Cloudflare Turnstile to deceive victims they are solving a legitimate CAPTCHA, while also protecting their phishing pages from static scanners. Netskope Threat Labs will continue to track and respond to these phishing campaigns.

                                      Netskope Detection

                                      • Netskope Threat Protection
                                        • Document-PDF.Trojan.Heuristic
                                        • Document-PDF.Phishing.Generic
                                        • Document-PDF.Spam.Heuristic
                                      • Netskope Advanced Threat Protection provides proactive coverage against this threat
                                        • Gen.Detect.By.NSCloudSandbox.tr

                                      Disclosure

                                      The URLs were reported to Webflow on January 23, 2025. 

                                      Data Analysis

                                      The analysis presented in this blog post is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization.

                                      IOCs

                                      All the IOCs related to this campaign can be found in our GitHub repository.

                                      author image
                                      Jan Michael Alcantara
                                      Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.
                                      Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.

                                      Bleiben Sie informiert!

                                      Abonnieren Sie den Netskope-Blog