Security experts have raised an alert regarding a surge in fraudulent web pages established through a website designer tool named Webflow. Malicious individuals are exploiting trustworthy platforms like Cloudflare and Microsoft Sway to execute their deceitful schemes.
“These endeavors are focused on garnering sensitive details from various cryptocurrency wallets, such as Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, in addition to login credentials for numerous corporate email platforms and Microsoft 365 accounts,” stated Netskope Threat Labs analyst Jan Michael Alcantara in a detailed examination report.
The cybersecurity firm disclosed a tenfold rise in visits to fraudulent pages created with Webflow between April and September 2024, with over 120 entities globally falling victim to these attacks. A considerable number of the targets are located in North America and Asia, mainly in financial, banking, and tech fields.
The perpetrators have been utilizing Webflow to establish autonomous deceptive pages, as well as to reroute unsuspecting users to alternative deceitful pages under their command.
“This tactic allows assailants a covert and simple approach as there is no need to code phishing scripts. Meanwhile, the latter grants the malefactor flexibility to conduct more intricate activities as necessary,” mentioned Michael Alcantara.
Webflow possesses a unique appeal compared to Cloudflare R2 or Microsoft Sway in that it permits users to establish personalized subdomains without extra charges, unlike auto-generated arbitrary alphanumeric subdomains that may raise suspicion –
- Cloudflare R2 – https://pub-<32_alphanumeric_string>.r2.dev/webpage.htm
- Microsoft Sway – https://sway.cloud.microsoft/{16_alphanumeric_string}?ref={sharing_option}
To escalate the success chances of their deception, the fake pages are meticulously crafted to mimic the genuine login pages, aiming to trick users into disclosing their login credentials, which are sometimes siphoned off to a separate server.
Netskope also uncovered Webflow scams related to cryptocurrencies that imitate a legitimate wallet’s homepage screenshot as the landing page, redirecting visitors to the actual malicious site upon interaction.
The ultimate objective of these crypto-phishing endeavors is to seize the victim’s seed phrases, granting the perpetrators control over the cryptocurrency wallets for fund extraction.
In instances identified by the cybersecurity group, individuals providing the recovery phrase are met with an error message stating their account has been suspended due to “unauthorized activity and identification failure,” prompting them to approach the support team through an online chat on tawk.to.
It’s imperative to highlight that chat services such as LiveChat, Tawk.to, and Smartsupp have been exploited in a cryptocurrency scam initiative named CryptoCore by Avast.
“Users should directly input essential URLs like banking portals or email platforms into the browser’s address bar instead of relying on search engines or external links,” emphasized Michael Alcantara.
The trend persists as cybercriminals promote advanced anti-bot solutions on the dark web which proclaim to bypass Google’s Safe Browsing alerts on the Chrome web browser.
“Anti-bot solutions like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot are pivotal components of intricate phishing schemes,” as mentioned in a recent report by SlashNext. “These solutions aim to obstruct security crawlers from identifying fraudulent pages and placing them on blocklists.”
“By filtering out cybersecurity bots and concealing phishing ruses from scanners, these tools prolong the operational lifespan of malicious websites, facilitating criminal evasion of detection for an extended timeframe.”
Continuous malspam and malvertising campaigns have recently been identified promoting an evolving malware named WARMCOOKIE (also known as BadSpace), which then serves as a conduit for various malware such as CSharp-Streamer-RAT and Cobalt Strike.
“WarmCookie offers diverse functionalities for adversaries, including payload deployment, file operations, command execution, screen capture, and persistence, making it a desirable tool once initial access is secured to enable long-term access within compromised networks,” Cisco Talos stated.
Analysis of the source code suggests that the malware might be developed by the same threat actors backing Resident, a post-breach tool deployed within a scheme termed TA866 (also known as Asylum Ambuscade), alongside the Rhadamanthys data exfiltration tool. The campaigns have prominently targeted the manufacturing sector, followed closely by governmental and financial services entities.
“Although the prolonged targeting associated with the distribution campaigns seems widespread, most cases of follow-on malware sightings were in the U.S., with some sightings in Canada, the U.K., Germany, Italy, Austria, and the Netherlands,” Talos explained.
About Author
