Hackers Bypass Security Scanners banner

Hackers Bypass Security Scanners Using CAPTCHA Trick on Webflow CDN PDFs

2 Mins Read

PureVPNNewsHackers Bypass Security Scanners Using CAPTCHA Trick on Webflow CDN PDFs

A new phishing campaign has emerged that uses fake PDF documents distributed via the Webflow content delivery network (CDN) with the intention of tricking users into revealing their credit card details and committing financial fraud. 

Ingenious Use of CAPTCHA in Phishing

According to Netskope Threat Labs researcher Jan Michael Alcantara, “The attacker targets victims searching for documents on search engines, resulting in access to malicious PDF that contains a CAPTCHA image embedded with a phishing link, leading them to provide sensitive information.”

The phishing operation has been active since the second half of 2024 and lures users searching for book titles, documents, and charts on search engines like Google to PDF files hosted on the Webflow CDN.

The PDF files have an image that looks like a CAPTCHA challenge. Clicking on it takes users to a phishing site with an actual Cloudflare Turnstile CAPTCHA, making the scam seem legitimate and helping it slip past static scanners.

Once the users solve the legitimate CAPTCHA challenge, they encounter a “download” button purportedly for obtaining the document they were initially searching for. However, clicking this button prompts a pop-up window asking for personal and credit card details.

Michael Alcantara explains the process further: “Upon entering credit card details, the attacker will send an error message to indicate that it was not accepted. If the victim submits their credit card details two or three more times, they will be redirected to an HTTP 500 error page.”

Rise of Phishing-as-a-Service

The development coincides with reports from SlashNext about a new phishing kit named Astaroth—different from the banking malware with the same name—being sold in cybercrime circles via Telegram, which is priced at $2,000 and comes with six months of updates and advanced evasion techniques.

Like other Phishing-as-a-Service (PhaaS) solutions, Astaroth enables cybercriminals to collect login details and two-factor authentication (2FA) codes through fake pages that imitate well-known online platforms.

Security researcher Daniel Kelley describes its functionality: “Astaroth utilizes an Evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services like Gmail, Yahoo, and Microsoft. Acting as a man-in-the-middle, it captures login credentials, tokens, and session cookies in real-time, effectively bypassing 2FA.”

author

Anas Hasan

date

February 14, 2025

time

1 month ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Related Stories

Google Chromecast Users Face ‘Untrusted Device’ Error – Here’s How to Fix It

Google Chromecast Users Face ‘Untrusted Device’ Error – Here’s How to Fix It
Posted on March 12, 2025
EncryptHub Breaches Hundreds of Organizations Globally

EncryptHub Breaches Hundreds of Organizations Globally
Posted on February 27, 2025
Bybit Confirms Historic $1.46 Billion ETH Cold Wallet Breach

Bybit Confirms Historic $1.46 Billion ETH Cold Wallet Breach
Posted on February 24, 2025

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.

Get PureVPN