Analysis Summary

Researchers have cautioned about an increase in phishing pages made with Webflow, a website builder tool, as threat actors continue to take advantage of genuine services like Microsoft Sway and Cloudflare.

The campaigns target login credentials for several corporate webmail services, Microsoft 365 login credentials, and private data from various cryptocurrency wallets, such as Coinbase, MetaMask, Phantom, Trezor, and Bitbuy. According to the researchers, between April and September 2024, the number of visitors to phishing pages created with Webflow increased tenfold, and the attacks targeted over 120 enterprises worldwide. The bulk of people targeted are found in the banking, technology, and financial services industries in North America and Asia.

Webflow has been used by attackers to both generate stand-alone phishing pages and reroute unwary users to other phishing pages that they control. Because there are no phishing lines of code to develop and identify, the former gives attackers convenience and stealth, while the latter allows them the freedom to carry out more intricate tasks as needed.

Compared to Cloudflare R2 or Microsoft Sway, Webflow is much more attractive because it lets customers establish bespoke subdomains for free, unlike auto-generated random alphanumeric subdomains that are likely to cause suspicion. The phishing sites are made to look like the login pages of their authentic equivalents to maximize the attack's chances of success. This trickery is used to trick users into giving their credentials, which are sometimes subsequently exfiltrated to a different server.

Cybersecurity researchers have also detected Webflow cryptocurrency fraud websites that mimic screenshots of the homepages of genuine wallets as their landing pages. When a visitor clicks anywhere on the fake website, they are redirected to the real scam site. The ultimate objective of a crypto-phishing campaign is to obtain the victim's seed phrases, which will enable the attackers to take over cryptocurrency wallets and embezzle money.

When users provide the recovery phrase in one of the attacks the cybersecurity firm found, they are greeted with an error message indicating that their account has been suspended because of "unauthorized activity and identification failure." Additionally, the message advises the user to start an online chat session on Tawk.to to get in touch with their support staff.

It is important to note that Avast's CryptoCore cryptocurrency fraud campaign has involved the exploitation of chat systems including LiveChat, Tawk.to, and Smartsupp. Instead of utilizing search engines or clicking on other links, users should always type the URL into their web browser to access vital pages, such as their webmail or banking portal.

Impact

• Credential Theft
• Identity Theft
• Financial Loss
• Data Exfiltration

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.