Webflow sites used to trick victims into sharing login details

Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
(Image credit: Shutterstock / janews)

Webflow is growing increasingly popular among cybercriminals phishing for cryptocurrency wallet information, login credentials, and more, experts have warned.

A report from Netskope Threat Labs claims that between April and September 2024, it observed a ten-fold increase in traffic to phishing pages created in Webflow.

Webflow is a website builder design and development platform that allows users to visually build responsive websites without coding, while also offering hosting and content management features.

Smash and grab

The goal of the campaign is, first and foremost, to obtain cryptocurrency wallet information. By tricking victims into sharing seed phrases and login credentials for Coinbase, MetaMask, Phantom, Trezor, or Bitbuy, the crooks can gain full control over the wallets and drain them of any funds, or NFTs.

Besides crypto wallets, the miscreants were also hunting for credentials for multiple company webmail platforms, as well as Microsoft 365 login credentials.

In total, more than 120 organizations worldwide have been targeted, with the majority being located in North America, and Asia. Usually, the crooks were going for organizations in financial services, banking, and technology.

“Attackers abuse Webflow in two ways,” Netskope’s researchers claim. “Creating standalone phishing pages and using Webflow pages to redirect victims to phishing pages hosted elsewhere.” The former is more stealth-oriented, since it contains no phishing lines of code, and thus cannot be spotted by usual security scanners. The latter, on the other hand, provides more flexibility and allows for more complex attacks.

Webflow also provided custom publicly accessible subdomains without additional cost, which the crooks happily used.

What makes the phishing sites easy to spot is the way they mimic legitimate pages. Crooks would simply grab a full-screen screenshot of the legitimate app’s homepage, and use that on their own site. Some pages simply redirected people from this image to the actual phishing page hosted elsewhere.

Therefore, if you see that a website’s homepage is not interactive at all, and behaves as a single image, be careful - you’re probably being targeted.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.