Summary:
A recent surge in phishing activity has been identified by Netskope Threat Labs, with a 10-fold increase in traffic directed towards phishing pages built using Webflow. These campaigns target a range of information, including login credentials for various crypto wallets (Coinbase, MetaMask, Phantom, Trezor, Bitbuy), company webmail platforms, and even Microsoft365 credentials. The attacks have impacted over 120 organizations globally, with a focus on North American and Asian entities in the financial services, banking, and technology sectors, indicating a clear motivation for financial gain.

The attackers exploit Webflow in two primary ways. Firstly, they construct standalone phishing pages entirely within the platform. This eliminates the need for writing custom code, making detection more difficult. Secondly, Webflow pages are used to redirect victims to phishing sites hosted elsewhere, providing the attacker with greater flexibility for complex actions. Webflow's free tier offering, which includes a custom publicly accessible subdomain, further enhances the credibility of the adversary's phishing websites.

The phishing pages themselves leverage a variety of TTPs to steal sensitive information. Some attacks employ screenshots of legitimate login pages, either using Webflow's link or form blocks to capture victim credentials. Others rely on strategically placed link blocks on buttons designed to entice clicks. The more sophisticated credential harvesting attempts integrate images related to the targeted platform with Webflow's form blocks, allowing for direct credential collection within the platform.

Security Officer Comments:
The rise of Webflow-based phishing campaigns highlights the evolving tactics of cybercriminals as they discover new ways to abuse legitimate software. These campaigns demonstrate the effectiveness of leveraging legitimate website-building tools for malicious phishing purposes. The ease with which attackers utilize Webflow for a URL redirect and a standalone phishing website, combined with the platform's features like custom subdomains, presents a significant challenge for organizations monitoring traffic for threats. Organizations must remain vigilant in identifying and mitigating phishing threats by educating employees on credential management, and new phishing tactics, including commonly abused software. While Webflow has reportedly taken down the identified phishing pages, continuous monitoring, and awareness are imperative to proactively mitigate threats like these.

Suggested Corrections:
IOCs are published in Netskope's GitHub repository here.

Recommendations from Netskope:
The scams and phishing pages described in the post are easily recognizable by the domain pattern *.webflow.io. Users can avoid becoming victims of the attacks described in this post by checking the URL. Users should always access important pages, such as their banking portal or webmail, by typing the URL directly into the web browser instead of using search engines due to SEO poisoning or by clicking any other links. Organizations are recommended to review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams:

• Inspect all HTTP and HTTPS traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Configure a URL filtering policy to block known phishing and scam sites and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
• Use Browser Isolation to provide additional protection when there is a need to visit websites that fall in categories that may present a higher risk, like Newly Observed and Newly Registered Domains.

Link(s):
https://thehackernews.com/2024/10/cybercriminals-use-webflow-to-deceive.html

https://www.netskope.com/blog/attackers-target-crypto-wallets-using-codeless-webflow-phishing-pages