Cybercriminals Use Webflow to Deceive Users into Sharing Sensitive Login Credentials

Cybersecurity experts have noted a significant rise in phishing attacks utilizing Webflow, a legitimate website building tool, which threat actors exploit to create fraudulent pages. This escalation includes a tenfold increase in traffic directed to phishing sites crafted with Webflow from April to September 2024. The primary targets of these campaigns are various cryptocurrency wallets, such as Coinbase and MetaMask, and they also aim to capture login credentials for corporate email systems and Microsoft 365, with over 120 organizations affected worldwide, predominantly in North America and Asia within the financial and tech sectors.

Attackers are leveraging Webflow’s capabilities to create both independent phishing pages and mechanisms to redirect users to additional phishing sites. This dual strategy aids in evading detection; standalone pages can be easily generated without writing malicious code, while redirection provides the flexibility for more sophisticated tactics. In contrast to alternatives like Cloudflare R2 or Microsoft Sway, Webflow permits users to create custom subdomains without extra fees, making it less suspicious than automatically generated subdomains that typically exhibit random alphanumeric strings.

In their phishing schemes, attackers meticulously design fake login pages that closely resemble those of legitimate services, tricking users into handing over their credentials. In some cases, these scams also feature deceptive homepages that use screenshots of real wallet interfaces but redirect users to actual scam sites when interacted with. The ultimate aim is to acquire victims’ seed phrases, thereby allowing attackers to gain control of cryptocurrency wallets and siphon off funds.

Cybersecurity firm Netskope has observed that victims providing their recovery phrases often see an error message claiming their accounts have been suspended due to unauthorized activities, accompanied by a prompt to engage with a support team via online chat services such as Tawk.to. It is noteworthy that such chat services have been implicated in other cryptocurrency scams, such as those affiliated with the CryptoCore campaign.

Additionally, cybercriminals are deploying innovative anti-bot services on the dark web to circumvent Google’s Safe Browsing protocols on Chrome. Tools like Otus Anti-Bot and Limitless Anti-Bot are integral to advanced phishing operations, designed to elude identification by security crawlers, prolonging the availability of malicious sites and enhancing the evasion of detection by law enforcement.

The article also highlights ongoing malspam and malvertising campaigns promoting a rapidly evolving malware known as WARMCOOKIE, which serves as an entry point for other malware, including CSharp-Streamer-RAT and Cobalt Strike. WARMCOOKIE provides adversaries with functionalities such as payload deployment and file manipulation, facilitating long-term access to compromised network environments.

A detailed analysis indicates that WARMCOOKIE may be linked to familiar threat actors associated with another post-compromise implant named Resident, highlighting a trend of targeted attacks focusing on various industries, most prominently manufacturing, government, and financial services. Attack patterns stemming from these distribution campaigns have been especially prevalent in the United States, with incidents also reported in several other countries, including Canada and the United Kingdom.

As new techniques and tools evolve, cybersecurity experts urge users to remain vigilant against these threats, recommending that critical sites be accessed directly via typed URLs rather than clicking links from emails or search engines, to mitigate the risk of falling victim to sophisticated phishing schemes and scams.