A recent phishing campaign has emerged that utilizes counterfeit PDF documents hosted on the Webflow content delivery network (CDN) to deceive users into revealing their credit card information for financial fraud.

According to Netskope Threat Labs researcher Jan Michael Alcantara, attackers are targeting victims searching for various documents on search engines. These searches lead users to malicious PDFs that contain a CAPTCHA image embedded with a phishing link, which redirects them to a site designed to harvest sensitive information.

The scheme, which has been active since the latter half of 2024, tricks users searching for book titles or documents by positioning these deceptive PDFs prominently in search engine results. Upon clicking the malicious link, the PDF features an image mimicking a CAPTCHA to create a false sense of security, ultimately directing users to a legitimate Cloudflare Turnstile CAPTCHA page. This additional element of realism further obscures the attacker’s intentions while enabling them to bypass detection from static security scanners.

Once users complete the CAPTCHA challenge, they are redirected to a page that promises to deliver the requested document. However, when they attempt to download it, they are confronted with a message prompting them to enter personal and credit card information.

Alcantara highlights that upon submitting their credit card information, victims receive an error suggesting the details were rejected. If they resubmit their data multiple times, they are ultimately led to an HTTP 500 error page, enhancing the pressure to comply with the attack.

The development coincides with the release of a new phishing kit called Astaroth, which is being promoted on Telegram and cybercrime forums for $2,000. This kit enables cybercriminals to collect credentials and two-factor authentication codes through counterfeit login pages that mimic those of legitimate online services.

Astaroth employs techniques similar to those of "phishing-as-a-service" offerings, using methods such as reverse proxies to intercept and manipulate traffic. This allows the attackers to capture credentials and session data in real-time, effectively circumventing two-factor authentication protections.

With these evolving tactics, it’s clear that users must remain vigilant against phishing attempts and always verify the authenticity of documents and websites before entering sensitive information.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.