Security experts have warned of an upsurge in phishing pages built with Webflow, a website builder tool, as attackers continue to use legitimate services such as Microsoft Sway and Cloudflare.
The malicious campaign targets login credentials for multiple corporate webmail services, Microsoft 365 login credentials, and sensitive data from cryptocurrency wallets like Coinbase, MetaMask, Phantom, Trezor, and Bitbuy.
According to the researchers, between April and September 2024, the number of visitors to Webflow-created phishing pages jumped tenfold, and the attacks targeted over 120 organisations worldwide. The majority of the people targeted work in the banking, technology, and financial services industries in North America and Asia.
Attackers have utilised Webflow to create standalone phishing pages as well as to redirect unsuspecting users to additional phishing pages under their control. Because there are no phishing lines of code to write and identify, the former provides attackers with convenience and stealth, but the latter allows them to carry out more complex activities as required.
Webflow is far more appealing than Cloudflare R2 or Microsoft Sway since it allows clients to create custom subdomains for free, as opposed to auto-generated random alphanumeric subdomains, which are likely to raise suspicion.
To increase the chances of success, phishing sites are designed to resemble the login pages of their legitimate counterparts. This method is used to deceive users into disclosing their credentials, which are subsequently at times exfiltrated to another server.
Security experts have also discovered Webflow cryptocurrency phoney websites that use screenshots of genuine wallet homepages as their landing pages. When a visitor clicks anywhere on the fake website, they are taken to the real scam site. The final goal of a crypto-phishing campaign is to gain the victim's seed phrases, allowing the attackers to take over cryptocurrency wallets and pilfer funds.
When users enter the recovery phrase in one of the assaults identified by the cybersecurity firm, they are presented with an error message saying that their account has been suspended due to "unauthorised activity and identification failure." Additionally, the message directs the user to start an online chat session on Tawk.to to contact their support personnel.
It is worth noting that Avast's CryptoCore fraud operation exploited chat services such as LiveChat, Tawk.to, and Smartsupp. Instead of using search engines or clicking on other links, users should always enter the URL into their web browser to access important pages like their webmail or banking portal.