Summary
From April to September 2024, Netskope Threat Labs tracked a 10-fold increase in traffic to phishing pages crafted through Webflow. The campaigns target sensitive information from different crypto wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as login credentials for multiple company webmail platforms, as well as Microsoft365 login credentials. The campaigns have targeted more than 120 organizations worldwide, with the majority located in North America and Asia, across multiple segments led by financial services, banking, and technology.
Attackers abuse Webflow in two ways: Creating standalone phishing pages and using Webflow pages to redirect victims to phishing pages hosted elsewhere. The former provides attackers stealth and ease because there are no phishing lines of code to write and detect, while the latter gives flexibility to the attacker to perform more complex actions as required. Webflow also provides custom publicly accessible subdomains without additional cost.
Let’s take a closer look at these phishing and crypto scam campaigns.
Webflow abused to design phishing pages
Webflow is a visual website builder that allows a