New Phishing Attacks Abuses Webflow CDN & CAPTCHAs To Steal Credit Card Details

A recent phishing campaign has been uncovered by Netskope Threat Labs, highlighting a sophisticated technique where attackers exploit Webflow’s Content Delivery Network (CDN) and fake CAPTCHAs to steal sensitive financial information.

This campaign, ongoing since the second half of 2024, targets users searching for documents on search engines, leading them to malicious PDFs hosted on Webflow’s CDN.

Attackers manipulate SEO by embedding targeted keywords in malicious PDFs, making them appear in search results for common queries like book titles or charts.

Example of a fake CAPTCHA in a malicious PDF (Source – Netskope)

These PDFs contain fake CAPTCHA images with embedded phishing links, tricking users into clicking.

To add legitimacy, the phishing site redirects users to a real Cloudflare Turnstile CAPTCHA before leading them to a fraudulent document access page.

Cloudflare Turnstile CAPTCHA used to deceive users (Source – Netskope)

Here, victims are prompted to sign up using their email, full name, and even credit card details under the guise of a subscription.

Error message after multiple credit card submissions (Source – Netskope)

If they attempt multiple submissions, they receive error messages before encountering an HTTP 500 error.

Netskope analysts noted the the campaign exploits Webflow CDN (assets.website-files[.]com) to host these malicious PDFs.

Besides this, security professionals can reference Netskope’s GitHub repository for Indicators of Compromise (IOCs).

Impact and Response

This campaign primarily targets industries such as technology, manufacturing, and banking across North America, Asia, and Southern Europe.

Netskope Threat Labs reported the malicious URLs to Webflow on January 23, 2025, as part of their ongoing efforts to combat these threats.

The use of fake CAPTCHAs and SEO manipulation in phishing attacks clearly presents the evolving sophistication of cyber threats.

Users must remain vigilant when interacting with documents found through search engines and be cautious of requests for sensitive information, especially when prompted by unfamiliar websites.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.