Netskope Threat Labs has uncovered a widespread phishing campaign that leverages Webflow’s Content Delivery Network (CDN), search engine optimization (SEO), and fake CAPTCHA images to deceive users into divulging sensitive information, including credit card details.
This campaign, active since mid-2024, has targeted hundreds of organizations across industries such as technology, manufacturing, and banking, with victims primarily located in North America, Asia, and Southern Europe.
The attackers exploit search engines by embedding malicious PDF files with carefully chosen keywords likely to appear in user searches.
These PDFs, hosted on Webflow’s CDN, contain fake CAPTCHA images that redirect users to phishing websites.
Upon interacting with the CAPTCHA, victims are further misled by being redirected to an actual Cloudflare Turnstile CAPTCHA page, creating a false sense of legitimacy.
Exploiting CAPTCHAs for Financial Fraud
The phishing process unfolds in several stages.
After solving the legitimate Cloudflare CAPTCHA, victims are redirected to a forum that offers a file named after their original search query.
To download the file, users are required to provide personal details such as their email address and name.
Subsequently, they are prompted to enter their credit card information under the guise of completing the signup process.
Once victims input their credit card details, attackers display an error message claiming the card was not accepted.
Victims are encouraged to resubmit their information multiple times before being redirected to an HTTP 500 error page.
This tactic allows attackers to collect multiple sets of sensitive data from the same victim.
Technical Details
The campaign abuses Webflow’s legitimate hosting services to store and distribute malicious PDFs.
By embedding phishing links within CAPTCHA images, attackers bypass traditional static security scanners.
The use of Cloudflare Turnstile CAPTCHA further conceals the fraudulent nature of these phishing pages by mimicking genuine security checks.
To combat this threat, Netskope recommends deploying advanced threat protection solutions capable of detecting heuristic and generic phishing patterns in documents.
Netskope’s Advanced Threat Protection has identified specific signatures related to this campaign, such as Document-PDF.Trojan.Heuristic and Document-PDF.Phishing.Generic.
This campaign highlights the growing sophistication of phishing attacks that exploit legitimate platforms like Webflow and Cloudflare.
By combining SEO techniques with deceptive CAPTCHAs, attackers effectively lure users into providing sensitive financial and personal information.
Organizations are advised to enhance their security measures by monitoring HTTP/HTTPS traffic and employing proactive threat detection systems to mitigate these risks.
Netskope Threat Labs continues to monitor and respond to such campaigns to safeguard users against evolving cyber threats.
%20and%20SEO.){kind=link}