Introduction

Cybersecurity researchers have identified a significant surge in phishing activities on the website builder Webflow [4], with a notable increase in traffic from April to September 2024. These campaigns primarily target sensitive information from cryptocurrency wallets and webmail platforms, affecting numerous organizations across North America and Asia.

Description

Cybersecurity researchers have reported a significant increase in phishing pages hosted on the website builder Webflow [4], with a tenfold rise in traffic observed from April to September 2024 [4]. These phishing campaigns specifically target sensitive information from various cryptocurrency wallets [4], including Coinbase [1] [3] [4], MetaMask [1] [3] [4], Phantom [1] [3] [4], Trezor [1] [3] [4], and Bitbuy [1] [3] [4], as well as login credentials for multiple webmail platforms [4], notably Microsoft 365 [4]. Over 120 organizations [1] [3] [4], primarily in North America and Asia within the financial services [1] [3] [4], banking [1] [3] [4], and technology sectors [1] [3] [4], have been affected [1] [3] [4].

Attackers exploit Webflow to create both standalone phishing pages that mimic legitimate login interfaces and to redirect users to external malicious sites. This approach benefits from the platform’s ability to generate custom subdomains at no extra cost [4], which helps avoid detection compared to services that produce random alphanumeric subdomains [4]. Additionally, attackers utilize Webflow’s legitimate link and form blocks to capture credentials [2], allowing them to redirect stolen information to their own sites. Testing has shown that a phishing page can be created in under five minutes using a free Webflow account [2]. Some phishing sites even utilize screenshots of authentic wallet homepages to mislead users [1], further enhancing their deception.

The primary objective of these crypto-phishing campaigns is to obtain victims’ seed phrases [1] [3], enabling attackers to take control of cryptocurrency wallets and drain funds [1] [3]. Users who inadvertently provide their recovery phrases may receive error messages indicating account suspension due to unauthorized activity [1] [3], prompting them to contact support through chat services like Tawk.to [1], which have been exploited in similar scams [1] [3]. To mitigate risks [1] [2], users are advised to access important sites directly by typing URLs into their browsers rather than relying on search engines or links [1]. Additionally, it is recommended to check for malicious domains ending in *.webflow.io and to inspect all HTTP and HTTPS traffic [2], along with implementing remote browser isolation technology to prevent access to malicious websites [2].

Conclusion

The rise in phishing activities on Webflow poses significant risks to organizations, particularly in the financial, banking [1] [3] [4], and technology sectors [1] [3] [4]. To combat these threats [2], it is crucial for users to adopt safe browsing practices, such as directly entering URLs and scrutinizing domain names. Organizations should also consider advanced security measures like remote browser isolation to safeguard against these sophisticated phishing tactics. As cyber threats continue to evolve, ongoing vigilance and proactive security strategies will be essential in mitigating future risks.

References

[1] https://owasp.or.id/2024/10/28/cybercriminals-use-webflow-to-deceive-users-into-sharing-sensitive-login-credentials/
[2] https://www.esecurityplanet.com/threats/vulnerability-recap-october-28-2024/
[3] https://vulners.com/thn/THN:15E4D7B889B460C1723225AAE2B2F6F6
[4] https://thehackernews.com/2024/10/cybercriminals-use-webflow-to-deceive.html