Skip to content

Phishing campaign exploits search engines to steal credit card info

  • by
  • 3 min read

Sophisticated phishing attacks use malicious PDFs and fake captchas in search results to steal credit card data. The attackers leverage Webflow’s Content Delivery Network (CDN) to store and distribute malicious PDF files. These PDFs are designed to appear in search engine results when users look for specific documents, books, or charts.

By embedding relevant keywords, attackers ensure these files rank high in search results, increasing the likelihood of victims accessing them.

Once opened, the PDFs present a captcha image that contains an embedded phishing link. This deceptive method tricks users into interacting with the phishing site, believing it to be a legitimate verification setup.

This is an image of phishing creditcard ss1
Phishing PDF at the top of a search result. | Source: Netskope

A notable aspect of this campaign is its use of a captcha to enhance credibility and avoid secure scans. Unlike previous malware campaigns where attackers exploited the captcha to execute malicious scripts, this attack incorporates a phishing URL directly into the captcha image. Clicking on it redirects victims to an actual Cloudflare Turnstile captcha, adding a layer of legitimacy and reducing suspicion.

Once the Cloudflare captcha is completed, victims land on a forum that appears to offer the document they initially searched for. However, they are prompted to create an account by providing their email address and personal details before accessing the file.

To finalise the registration, users are required to enter their credit card details. Regardless of the input, an error message appears, prompting victims to re-enter their information multiple times. After several attempts, the site displays an HTTP 500 error page, terminating the session while the attackers collect the submitted credit card data.

This is an image of phishing creditcard ss2
Phishing link embedded in a captcha. | Source: Netskope

“[Attackers] use SEO techniques to lead victims into accessing malicious PDF files hosted on the Webflow CDN, which contain a fake CAPTCHA image. Attackers embed phishing links into the fake CAPTCHA image to redirect victims to the phishing website,” researchers summarised. “They use Cloudflare Turnstile to deceive victims they are solving a legitimate CAPTCHA, while also protecting their phishing pages from static scanners.”

Researchers recently discovered a fake Salesforce email used in massive Facebook phishing attacks. In other news, Amazon Prime customers were targeted in a phishing campaign.

In the News: OpenAI denies stealing Indian media data for ChatGPT training

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of spyware malware cybersecurity privacy featured 31

Threat actors deploy FrigidStealer on Macs via web inject attacks

This is an image of crypto farm

XMRig cryptominer distributed via trojanised game torrents

Photo: sundry photography / shutterstock. Com

Over 100 AWS keys found on public GitHub repositories

This is an image of scam call featured 1

Noida-based call center operation dupes victims of $1.4 million

This is an image of nvidia gpu compared 100

Concerns mount over outdated Nvidia A100 GPUs in India’s AI Mission

  • by
  • In News, AI
Illustration: cinemato

Two Estonians found guilty of $577 million crypto ponzi scheme

>