Hackers use a CAPTCHA trick in PDF files on the Webflow CDN to bypass security systems.

Netskope researchers have identified a new phishing campaign that has been active since mid-2024, affecting "thousands" of people. This fraudulent initiative aims to deceive users into believing they are accessing important PDF documents in exchange for their personal and payment information.

Analysis conducted by experts at Netskope Threat Labs reveals that the campaign is primarily designed to attract individuals searching for PDF files online, such as books or documents. The criminals have been using the Webflow content delivery network to host fraudulent .PDF links that appear through search engines.

Once the victim clicks on the PDF file, they encounter an image that mimics a CAPTCHA, which is actually just a link to a phishing page. This page includes a legitimate Cloudflare Turnstile CAPTCHA, which not only adds an air of legitimacy to the scam but also helps bypass the most effective online security protections.

Users who complete the real CAPTCHA are redirected to a page where a “download” button appears. Clicking this button triggers a popup that prompts them to enter personally identifiable information (PII) and their credit card details, which are then sent to the attackers. Those who provide their card information receive a false error message indicating that the payment was not accepted. Those who repeatedly attempt to submit are ultimately taken to an HTTP 500 error page.

Netskope reported that this campaign has impacted "hundreds" of its clients and "thousands" of users. Although it was not specified how the criminals use the stolen cards, it was mentioned that the primary goal is "financial fraud." It is common for criminals to use stolen credit cards to purchase advertising space in malvertising campaigns or to acquire gift cards online, which are difficult to trace.