With the intention to steal credit card data and engage in financial fraud, a common phishing strategy has been discovered using fictitious PDF files hosted on the content delivery system ( CDN).
According to Jan Michael Alcantara, a scientist with Netskope Threat Labs, the attacker “targets victims who are searching for documents on search engines, giving them access to destructive PDF that has a CAPTCHA picture embedded with a phishing link, leading them to give sensitive information.”
The engagement, continued since the second half of 2024, entails people looking for book titles, papers, and charts on search engines like Google to redirect users to PDF files hosted on Webflow CDN.
Users who click on the PDF files ‘ embedded picture, which resembles a CAPTCHA problem, are then directed to a phishing website that, this time, hosts a true Cloudflare Turnstile CAPTCHA, which is embedded in the PDF files.
In doing so, the attackers are trying to give the process a patina of legitimacy, deceiving victims into believing they had engaged in a safety search, while also avoiding detection by dynamic scanners.
Users who successfully complete the authentic CAPTCHA problem are then directed to a site with a “download” button to download the allegedly submitted document. The victims are yet given a pop-up information asking them to input their personal and credit card details when they attempt to finish the step.
The attacker may give an error message indicating that credit card information was not being accepted, according to Michael Alcantara. The victim may get redirected to an HTTP 500 error page if they provide their credit card information two or three more days.
Astaroth, a bank ransomware of the same name, is being distributed on Telegram and hacking marketplaces for$ 2,000 in exchange for six-months of updates and pass techniques, according to SlashNext’s report.
Like phishing-as-a-service ( ) offerings, it allows cyber crooks the ability to harvest credentials and two-factor authentication ( 2FA ) codes via bogus login pages that mimic popular online services.
Protection researcher Daniel Kelley described Astaroth as using a reverse proxy in the vein of to catch and control traffic between victims and reasonable authentication services like Gmail, Yahoo, and Microsoft. ” Acting as a man-in-the-middle, it captures login certificates, tokens, and treatment cookies in real time, essentially bypassing 2FA”.