830 Organizations Attacked Uses Telegram & Fake CAPTCHAs via Glitch-Hosted Phishing Attack

Cybersecurity researchers at Netskope Threat Labs have observed an alarming threefold spike in phishing campaigns exploiting the Glitch platform a free web application hosting service.

These campaigns have impacted more than 830 organizations and over 3,000 individuals, with the majority of attacks focusing on Navy Federal Credit Union members.

However, the threat has rapidly expanded to encompass other targets, including T-Mobile accounts and corporate email login credentials, along with the theft of credit card and other sensitive financial information.

Glitch, renowned for its ease of app creation and collaborative coding environment, offers users 1,000 monthly project hours with static sites hosted free and live 24/7.

Each project is allocated a unique subdomain, typically activated within minutes. Attackers have abused this model, creating and deploying multiple phishing sites by “remixing” templates, thus spawning numerous fraudulent subdomains at scale.

The observed phishing sites generally follow a recognizable URL structure, with project-specific subdomains under glitch[.]me, exposing how the platform’s very features are enabling rapid exploitation.

Telegram: The Backbone for Credential Exfiltration

What distinguishes this latest wave of phishing is the strategic use of Telegram for both data exfiltration and multi-factor authentication (MFA) bypass.

Approximately half of the phishing campaigns analyzed use Telegram’s BotAPI sendMessage function to transmit harvested credentials, location information, and critically one-time passwords (OTPs) back to threat actors in real time.

This direct channel enables attackers to immediately use stolen OTPs to access victim accounts, effectively neutralizing the protective layer provided by MFA.

Phishing pages typically start by soliciting usernames and passwords, while JavaScript is used covertly to capture the victim’s IP address and geographic location via third-party services like I2.io, ipify, or ipinfo.

Once initial credentials are entered, the phishing site requests the victim’s OTP under the guise of standard account verification.

For individuals unable to provide the OTP, attackers prompt users to enter placeholder codes or proceed regardless, later extracting more sensitive details, including email credentials, to facilitate further account compromises.

Emergence of Fake CAPTCHAs to Evade Detection

Netskope Threat Labs also identified a marked increase in phishing pages protected by custom-built fake CAPTCHAs a tactic increasingly favored by adversaries to deflect automated security scanners and lend credibility to the attack.

Victims are presented with a realistic “bot check” box that, when activated, replaces the interface with a fake loading spinner before redirecting unsuspecting users to the actual phishing payload.

This evasion method not only deceives human targets but also impedes detection by static analysis tools, allowing phishing infrastructure to remain active longer.

The exploitation of Glitch’s free and rapid web deployment environment, combined with the abuse of Telegram’s messaging API and fake CAPTCHAs, reflects a sophisticated evolution in phishing methodology.

Attackers’ ability to scale operations swiftly and systematically evade both technical and human defenses underscores a pressing challenge for organizations.

As the campaigns continue to target not only Navy Federal Credit Union but a widening array of businesses and individual users, Netskope Threat Labs remains vigilant in tracking and disrupting these operations.

The findings highlight the need for increased scrutiny of publicly accessible web-hosting services and greater awareness of social engineering tactics that circumvent conventional authentication safeguards.

With attackers leveraging collaboration platforms and common messaging apps to streamline credential theft, robust multi-layered security strategies and continuous user education remain critical defenses against this persistent and growing threat.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update