Hackers Use CAPTCHA Trick on Webflow CDN PDFs to Bypass Security Scanners

A widespread phishing campaign has been observed leveraging bogus PDF documents hosted on the Webflow content delivery network (CDN) with an aim to steal credit card information and commit financial fraud.

"The attacker targets victims searching for documents on search engines, resulting in access to malicious PDF that contains a CAPTCHA image embedded with a phishing link, leading them to provide sensitive information," Netskope Threat Labs researcher Jan Michael Alcantara said.

The activity, ongoing since the second half of 2024, entails users looking for book titles, documents, and charts on search engines like Google to redirect users to PDF files hosted on Webflow CDN.

These PDF files come embedded with an image that mimics a CAPTCHA challenge, causing users who click on it to be taken to a phishing page that, this time, hosts a real Cloudflare Turnstile CAPTCHA.

In doing so, the attackers aim to lend the process a veneer of legitimacy, fooling victims into thinking that they had interacted with a security check, while also evading detection by static scanners.

Users who complete the genuine CAPTCHA challenge are subsequently redirected to a page that includes a "download" button to access the supposed document. However, when the victims attempt to complete the step, they are served a pop-up message asking them to enter their personal and credit card details.

"Upon entering credit card details, the attacker will send an error message to indicate that it was not accepted," Michael Alcantara said. "If the victim submits their credit card details two or three more times, they will be redirected to an HTTP 500 error page."

The development comes as SlashNext detailed a new phishing kit named Astaroth (not to be confused with a banking malware of the same name) that's advertised on Telegram and cybercrime marketplaces for $2,000 in exchange for six-months of updates and bypass techniques.

Like phishing-as-a-service (PhaaS) offerings, it allows cyber crooks the ability to harvest credentials and two-factor authentication (2FA) codes via bogus login pages that mimic popular online services.

"Astaroth utilizes an Evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services like Gmail, Yahoo, and Microsoft," security researcher Daniel Kelley said. "Acting as a man-in-the-middle, it captures login credentials, tokens, and session cookies in real time, effectively bypassing 2FA."