Phishing Campaign Abuses Webflow CDN & CAPTCHAs to Steal Credit Card Data
A recent cybersecurity report reveals a sophisticated phishing campaign that exploits the Webflow CDN and deceptive CAPTCHA images to steal credit card data. Attackers employ search engine optimization (SEO) tactics to drive victims to malicious PDFs, which lead them through a fake CAPTCHA verification before requesting personal and financial information. By abusing trusted services like Webflow and Cloudflare, the attackers make detection more challenging. Researchers advise users to verify website authenticity and remain cautious when entering sensitive details.
Technical Description
This has been active since mid-2024 and the campaign has already impacted thousands of individuals across various Netskope customers, underscoring the ever-evolving nature of cyber threats. Attackers exploit search engine optimization (SEO) techniques to target users searching for specific documents, book titles and charts. By embedding malicious PDF files within the Webflow CDN, they ensure these files rank in search results, making them appear legitimate. These PDFs feature deceptive CAPTCHA images, which victims mistake for genuine security verification. However, these images hide phishing links that redirect users to a fraudulent authentication process.
After clicking the fake CAPTCHA, users are redirected to a Cloudflare Turnstile CAPTCHA page, adding another layer of deception to enhance the illusion of legitimacy. This tactic convinces victims they are undergoing a genuine security check. Once completed, they are taken to a fraudulent online forum that prompts them to register for access to the document they initially searched for. During the registration process, they are asked to provide personal details such as their name and email address. Eventually, they are required to enter their credit card information – the attackers’ ultimate objective.
To deepen their deception, the attackers display an error message claiming the credit card transaction has failed. This tactic pressures victims into repeatedly entering their payment details, believing a temporary issue is preventing the transaction from going through. Each attempt triggers the same error message, further misleading the user. Once the attackers have successfully captured the victim’s financial data, the website ultimately redirects them to an HTTP 500 error page, severing any further interaction.
Conclusion
By exploiting trusted online services like Webflow and Cloudflare, attackers have crafted a phishing scheme that is notably difficult to detect. The combination of fake CAPTCHAs and multi-step redirection makes it harder for users to recognize the threat until it is too late. This approach highlights the growing sophistication of cybercriminals, who continuously refine their tactics to evade security measures and exploit human trust.
Researchers stress the need for vigilance when interacting with online documents and email links, even if they seem to come from reputable sources. Users should always verify a website’s authenticity before entering sensitive personal or financial information. Practicing caution and adopting strong cybersecurity habits can help reduce the risk of falling victim to such phishing scams.
Impact
This phishing campaign presents serious risks to organizations, including financial losses, data breaches and reputational harm. If employees fall victim, they may inadvertently expose corporate credentials, enabling unauthorized access and potential cyberattacks. Additionally, compromised customer or employee data could lead to compliance violations and legal repercussions. To mitigate these threats, organizations must prioritize cybersecurity awareness and implement strong security measures.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Execution, Initial Access |
| Technique Name | User Execution, Phishing |
| Sub Technique Name | Malicious File, Malicious Link, Spear phishing Attachment, Spear phishing Link |
| Attack Type | Phishing |
| Targeted Applications | Generic |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | URL hxxps://assets[.]website-files[.]com/65e87f56e7f3910126edaacc/ 65f3b2a421947730eb332f62_13436878336[.]pdf, hxxps://assets[.]we bsite-files[.]com/65dcd46fa0671b2619a77742/6631fe9987336fdd2b7d fcb1_ditubamudokipudijepagoj[.]pdf, hxxps://assets[.]website-files[.]c om/65dc9005ac08330b77a8c9bb/66cef80168bdeadc8d627e8d_41264 103592[.]pdf, hxxps://assets[.]website-files[.]com/65dccaeb10e0c5a8 e77bd6b7/65ff3614378d84ed95db945e_90174167496[.]pdf, hxxps://a ssets[.]website-files[.]com/65e87d9324e1cd3ac823e66d/66d14e38110 a660e74d01ef3_5699542139[.]pdf, hxxps://assets[.]website-files[.]co m/65dcc9491b806b929436ddf1/66c7ad559547e04a65096b0b_73730 03800[.]pdf, hxxps://assets[.]website-files[.]com/660016444d84bb580 d885ce4/66caafd2a84a018f5184d34e_porebogexijibo[.]pdf, hxxps://a ssets[.]website-files[.]com/65ffce60af755ba8f6ba7e7e/6602be77c97b 1f6df846f420_92287932745[.]pdf, hxxps://assets[.]website-files[.]co m/65dcb50993210214a79e53f8/6635aa32bfe92ef2efe60bb5_giguzene w[.]pdf, hxxps://assets[.]website-files[.]com/65dca9b0ea8aed665c85b 452/66ccf17091ba78f475c1b232_32952601842[.]pdf, hxxps://assets [.]website-files[.]com/65effbab6df82594834e00da/6616d5fce4342801 81f22423_91774751819[.]pdf, hxxps://assets[.]website-files[.]com/66 004e9f6340908f6929626e/663431771c1f1b5fe38f9475_51553588207 [.]pdf, hxxps://assets[.]website-files[.]com/660037ea13d5a8d681ef9c 1c/66cba14630d078cb45c8ac94_xeteto[.]pdf, hxxps://assets[.]websit e-files[.]com/65dcbe998dbb3e670349d888/662eb5b496695bb401f404 5a_46754669253[.]pdf, hxxps://assets[.]website-files[.]com/65dcbb74 3e4729e71c623664/66c97a237303d773874abfe1_46605469514[.]pdf , hxxps://assets[.]website-files[.]com/65effbab6df82594834e00da/66ca da734043347f9ae365d6_rakubukarajukase[.]pdf, hxxps://assets[.]web site-files[.]com/65dcb5c28b463f8217689735/662ff9ea1e3f2d33ec801c 42_pivajipipanusasipiseru[.]pdf, hxxps://assets[.]website-files[.]com/6 5e88b908c04c7b8f0d42064/66144fe5645735ce1b8f3eb6_ripupitupa[.] pdf, hxxps://assets[.]website-files[.]com/65dcc8141a8415f2ec7bfde1/ 65f5d93eb11f2cc9f40fd1b5_turunujepusupevuvavafe[.]pdf, hxxps://as sets[.]website-files[.]com/65e884e303c26b88fe1e745f/66ca8195e9cc1 1d29acb5c10_79240046781[.]pdf, hxxps://assets[.]website-files[.]co m/65ffe997a7370d500bec4199/66c91e92eb25bc77e4c156bc_zines[.]p df |
| CVE | NA |
Recommended Actions
- Enhance Employee Awareness & Training – Regularly conduct cybersecurity training to educate employees on phishing tactics, fake CAPTCHAs and SEO-driven threats. Encourage caution when downloading documents from search engines.
- Implement Advanced Email & Web Filtering – Deploy security solutions that detect and block phishing emails, malicious attachments and links. Use web filtering tools to restrict access to suspicious domains.
- Strengthen Multi-Factor Authentication (MFA) – Enforce MFA for all employee accounts, particularly those with access to sensitive data, to minimize the risk of credential compromise.
- Monitor and Block Suspicious Domains – Continuously track network traffic for unusual activity and maintain a blacklist of known phishing sites. Leverage threat intelligence feeds to proactively block emerging threats.
- Conduct Regular Phishing Simulations – Test employees’ ability to identify phishing attempts through simulated exercises. This will help detect vulnerabilities and reinforce security training.
- Encourage Secure Browsing Practices – Advise employees to verify website authenticity before entering sensitive information. They should avoid downloading files from untrusted sources and be cautious when completing CAPTCHA challenges.
- Deploy Endpoint Protection Solutions – Use endpoint detection and response (EDR) tools to identify and mitigate malware or suspicious activity. Ensure all security software remains updated.
- Establish an Incident Response Plan – Develop a structured response plan to quickly address phishing incidents, including reporting, investigation and mitigation steps to prevent data breaches and financial fraud.