Full Report
A widespread phishing campaign has been observed leveraging bogus PDF documents hosted on the Webflow content delivery network (CDN) with an aim to steal credit card information and commit financial fraud. "The attacker targets victims searching for documents on search engines, resulting in access to malicious PDF that contains a CAPTCHA image embedded with a phishing link, leading them to
Analysis Summary
# Tool/Technique: CAPTCHA Evasion via Webflow CDN (Phishing Chain)
## Overview
This technique describes a widespread phishing campaign that abuses the Webflow Content Delivery Network (CDN) for hosting malicious PDF documents. The PDFs contain an embedded image masquerading as a CAPTCHA, which, when clicked, redirects the victim through a legitimate-looking Cloudflare Turnstile CAPTCHA before finally leading to a credit card harvesting page. The attackers leverage this multi-step process to lend legitimacy to the scheme and bypass static security scanners.
## Technical Details
- Type: Technique/Phishing Framework (Involving multiple interconnected elements)
- Platform: Web/Cloud Services (Webflow CDN, targeting general internet users via search engines)
- Capabilities: Phishing lure delivery, security scanner evasion, credential/financial data harvesting, use of legitimate third-party services (Webflow CDN, Cloudflare Turnstile) for trust building.
- First Seen: Ongoing since the second half of 2024.
## MITRE ATT&CK Mapping
The primary focus of this chain is deception to harvest sensitive information:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (The PDF acts as the vehicle)
- **TA0009 - Collection**
- T1539 - Steal Application Access Token (Indirectly, by harvesting financial details which might replace need for token)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Harvested credit card data is exfiltrated)
## Functionality
### Core Capabilities
- Hosting malicious PDF files on trusted infrastructure (Webflow CDN).
- Using search engine optimization (SEO) targeting for users searching for documents, books, or charts to drive traffic to the malicious PDFs.
- Embedding a *fake* CAPTCHA image within the PDF as the initial click mechanism.
### Advanced Features
- **Legitimacy Layering:** Redirecting the user *after* the initial click to a page hosting a *real* Cloudflare Turnstile CAPTCHA, fooling the victim into believing they are interacting with a genuine security measure.
- **Credential Harvest Stage:** Once the CAPTCHA is solved, presenting a final "download" button that triggers a pop-up requiring personal and credit card information input.
- **Error Masking:** Responding to initial failed credit card submissions with generic error messages, potentially encouraging repeat attempts, before redirecting to an HTTP 500 error page on subsequent failures.
- **Static Scanner Evasion:** By delivering the final payload via a redirection chain initiated by a static file (PDF) hosted on a vetted CDN, the initial payload avoids direct flagging by signature-based scanners.
## Indicators of Compromise
- File Hashes: [No specific hashes provided in the context]
- File Names: Malicious PDF documents found via search engine results.
- Registry Keys: [Not applicable]
- Network Indicators: Final redirection to phishing pages designed to harvest PII/CC details. Domains/IPs used for hosting the final phishing pages are not specified, but the initial hosting occurs on the **Webflow CDN**.
- Behavioral Indicators: User clicks an embedded element in a PDF linked from search results, passes a real CAPTCHA challenge, and is then prompted for payment details rather than document access.
## Associated Threat Actors
- Threat actors engaging in financial fraud and widespread phishing campaigns (Groups exploiting SEO and reputable CDNs).
## Detection Methods
- Signature-based detection: Likely ineffective against the PDF lure hosted on the CDN itself.
- Behavioral detection: Detection systems should flag sequences involving loading documents from CDN hosts that rapidly trigger navigation to external validation/input pages, especially after a CAPTCHA challenge. Monitoring for navigation from PDF viewers pointing to high-reputation CDNs toward known phishing templates.
- YARA rules: [Not available]
## Mitigation Strategies
- Implement robust browser security settings that interfere with rapid domain transitions following document interaction.
- Security gateways (proxies/DNS filters) must scrutinize URLs redirected *from* documents hosted on CDNs.
- User awareness training emphasizing that legitimate document downloads rarely require passing a CAPTCHA followed by credit card entry for a free item.
## Related Tools/Techniques
- **Astaroth Phishing Kit:** Mentioned alongside this activity, this kit ($2,000 on Telegram) provides reverse proxying capabilities (Evilginx-style) to harvest credentials and 2FA codes, indicating a common ecosystem targeting sophisticated credential theft.
- **Evilginx:** A known reverse proxy framework used for MfTM and 2FA bypass, suggesting the professionalism of actors involved in this general threat landscape.