Hackers use CAPTCHA scam in PDF files on Webflow CDN to get past security systems

News
By published

Campaign looks to steal credit card data

Someone checking their credit card details online.
(Image credit: Pickawood / Unsplash)
  • Netskope's researchers uncover new phishing campaign
  • Team says the campaign started in mid-2024 and has affected "thousands"
  • Victims are promised important PDF documents in exchange for credit card data

A new phishing campaign has been discovered trying to trick gullible people into handing their sensitive personal and payment information to cybercriminals.

Cybersecurity researchers from Netskope Threat Labs detailed their findings, noted the target of this campaign is mainly people looking for PDF files online - whether books, documents, charts, or similar files. The criminals would host a fake .PDF file on the Webflow content delivery network (CDN), which the victims could then find through search engines.

The PDF file would then serve them an image that mimics a CAPTCHA, but is instead just a link to a phishing page. That page, in turn, hosts a real Cloudflare Turnstile CAPTCHA. Having a CAPTCHA on a phishing page serves two purposes: the first one is to lend legitimacy to the fraud, and the second one is to better bypass different web security protections.

Fake errors

Users who complete the real CAPTCHA are then redirected to a page with a “download” button which, after pressed, displays a popup. That popup asks the victims to provide their personally identifiable information (PII), as well as credit card data which are then relayed to the attackers.

The victims who enter their credit card details are then served a fake error message, stating that the payment was not accepted. Those that try multiple times, will eventually be redirected to an HTTP 500 error page.

Netskope says that the campaign has been ongoing since the second half of 2024 and has, since then, affected “hundreds” of Netskope customers and “thousands” of users. The researchers did not say what the criminals are using the stolen cards for, other than it’s for “financial fraud”. Most of the time, though, crooks would use credit cards to purchase ad space for malvertising campaigns, or to buy online gift cards which are difficult to trace.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
A hacker typing on a MacBook laptop with code on the screen.
This devious phishing site repurposes legitimate web elements like CAPTCHA pages for malware distribution
Close up of a business person using a smartphone.
Watch out, malicious PDF files are being used again in phishing attacks
Robotic hand clicking on captcha 'I am not a robot'.
Fake CAPTCHAs are being used to spread malware - and we only have ourselves to blame
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Latest in Security
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Latest in News
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what's happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
More about security
Lock on Laptop Screen

Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg

Key trusted Microsoft platform exploited to enable malware, experts warn
Cassian Andor looking nervously over his shoulder in Andor season 2

New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
See more latest
Most Popular
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
A screenshot from Indiana Jones and the Great Circle showing Indiana Jones
Indiana Jones and the Great Circle finally gets PS5 release date and I can't wait to don the fedora and crack the whip
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 25 (game #387)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Tuesday, March 25 (game #653)
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 25 (game #1156)
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
US flags
US government IT contracts set to be centralized in new Trump order