Cybercriminals Exploit Webflow to Launch Phishing Campaigns Targeting Sensitive Credentials

Cybersecurity researchers have identified a significant rise in phishing attacks utilizing Webflow, a legitimate website builder. These attacks target sensitive login information for various cryptocurrency wallets and corporate webmail platforms. With a tenfold increase in phishing traffic between April and September 2024, the campaigns highlight the growing sophistication of cybercriminals leveraging legitimate tools to deceive users.

    • Surge in Phishing Attacks: A 10-fold increase in phishing pages created with Webflow was tracked by Netskope Threat Labs, primarily targeting organizations in North America and Asia within financial, banking, and technology sectors.
    • Legitimate Tools Misused: Cybercriminals are utilizing Webflow to create custom subdomains for phishing pages, providing stealth and ease of creation, contrasting with the more suspicious random alphanumeric URLs of platforms like Cloudflare R2 and Microsoft Sway.

  • Impersonation of Legitimate Services: The phishing pages mimic authentic login interfaces for various cryptocurrency wallets, including Coinbase and MetaMask, aiming to trick users into providing sensitive credentials, which are then exfiltrated.
  • Deceptive Recovery Messaging: Victims providing their recovery phrases receive false error messages stating account suspension due to unauthorized activity, prompting them to engage with support via chat services misused in past crypto scams.
  • Evolving Anti-Bot Services: New anti-bot services are emerging on the dark web, designed to evade detection from Google’s Safe Browsing, extending the operational lifespan of phishing sites and complicating defenses.
  • Malware Propagation through Phishing: Concurrently, campaigns are distributing WARMCOOKIE malware, which facilitates further malware installations, including CSharp-Streamer-RAT and Cobalt Strike, targeting various sectors including manufacturing and government.

The rise of phishing campaigns utilizing Webflow exemplifies the increasing sophistication of cybercriminals who exploit legitimate tools to achieve their malicious goals. With targets spanning multiple sectors and utilizing deceptive techniques, it is crucial for users to remain vigilant.