A new phishing operation has emerged, utilizing fraudulent PDF documents hosted on Webflow’s content delivery network to steal credit card information. The campaign, detected in late 2024, specifically targets individuals searching for documents online.

The attack follows a sophisticated multi-step process:

1. Users searching for books, documents, or charts are directed to malicious PDFs on Webflow CDN
2. These PDFs contain fake CAPTCHA images with embedded phishing links
3. Clicking the CAPTCHA leads to a page with a legitimate Cloudflare Turnstile CAPTCHA
4. After completing the real CAPTCHA, users encounter a “download” button
5. Attempting to download triggers a pop-up requesting credit card information
6. Multiple failed payment attempts lead to an HTTP 500 error page

The scheme employs legitimate security features to appear trustworthy while evading detection systems. Netskope Threat Labs researcher Jan Michael Alcantara notes that victims are repeatedly prompted to enter credit card details before being shown error messages.

In related news, a new phishing kit called Astaroth is being marketed on Telegram and cybercrime forums for $2,000. This kit uses Evilginx-style reverse proxy techniques to intercept authentication traffic, enabling criminals to harvest credentials and bypass two-factor authentication for major services like Gmail, Yahoo, and Microsoft.