Sophisticated Phishing Campaign Targets Philippine Bank Users via Trusted Platforms
Since early 2024, a highly adaptive phishing campaign has targeted customers of major Philippine banks, exploiting legitimate online services to bypass security measures. The operation, still active in 2026, has distributed over 900 malicious links, impacting more than 400 victims.
Attackers leveraged trusted platforms including Google Business, AMP CDN, Cloudflare Workers, and URL shorteners to disguise phishing redirects, improving email deliverability and evading secure email gateways. Phishing emails were sent from compromised accounts, often sourced from stolen credential databases, enhancing their credibility.
Social engineering tactics evolved over time. Early waves in 2024 used fake transaction alerts, while later iterations in 2025 shifted to warnings about suspicious logins or account updates. Victims were redirected through multiple layers before landing on convincing fake banking pages, which used "hotlinking" to pull real assets from legitimate bank servers, reducing detection risks.
The attack chain enabled real-time financial fraud. Victims entered login credentials and one-time passwords (OTPs), which were instantly transmitted to attackers via Telegram bots, allowing unauthorized transactions within minutes. In a further escalation, threat actors compromised an educational institution’s domain within the Philippine ccTLD, hosting phishing infrastructure under valid SSL certificates to enhance legitimacy.
Researchers noted the campaign’s technical sophistication, including short-lived SSL certificates and rapidly rotating subdomains to avoid detection. The abuse of trusted platforms and real-time data exfiltration underscores the growing challenge of defending against modern phishing threats.
Source: https://gbhackers.com/philippine-banking-credentials/
Bank of the Philippine Islands (BPI) cybersecurity rating report: https://www.rankiteo.com/company/bank-of-the-philippine-islands
Cloudflare cybersecurity rating report: https://www.rankiteo.com/company/cloudflare
"id": "BANCLO1775212236",
"linkid": "bank-of-the-philippine-islands, cloudflare",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '400+',
'industry': 'Banking',
'location': 'Philippines',
'name': 'Major Philippine Banks',
'type': 'Financial Institution'},
{'industry': 'Education',
'location': 'Philippines',
'name': 'Educational Institution (Domain Compromised)',
'type': 'Educational'}],
'attack_vector': ['Email',
'Compromised Accounts',
'Trusted Platforms (Google Business, AMP CDN, Cloudflare '
'Workers, URL Shorteners)'],
'data_breach': {'data_exfiltration': 'Real-time via Telegram Bots',
'number_of_records_exposed': '400+',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Login Credentials',
'One-Time Passwords (OTPs)']},
'date_detected': '2024-01-01',
'description': 'Since early 2024, a highly adaptive phishing campaign has '
'targeted customers of major Philippine banks, exploiting '
'legitimate online services to bypass security measures. The '
'operation, still active in 2026, has distributed over 900 '
'malicious links, impacting more than 400 victims. Attackers '
'leveraged trusted platforms including Google Business, AMP '
'CDN, Cloudflare Workers, and URL shorteners to disguise '
'phishing redirects, improving email deliverability and '
'evading secure email gateways. Phishing emails were sent from '
'compromised accounts, often sourced from stolen credential '
'databases, enhancing their credibility. Social engineering '
'tactics evolved over time, using fake transaction alerts, '
'warnings about suspicious logins, or account updates. Victims '
'were redirected through multiple layers before landing on '
"convincing fake banking pages, which used 'hotlinking' to "
'pull real assets from legitimate bank servers. The attack '
'chain enabled real-time financial fraud, with credentials and '
'OTPs transmitted to attackers via Telegram bots, allowing '
'unauthorized transactions within minutes. Threat actors also '
'compromised an educational institution’s domain within the '
'Philippine ccTLD to host phishing infrastructure under valid '
'SSL certificates.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': ['Login Credentials',
'One-Time Passwords (OTPs)'],
'identity_theft_risk': 'High',
'operational_impact': 'Unauthorized Transactions',
'payment_information_risk': 'High',
'systems_affected': ['Customer Banking Portals']},
'initial_access_broker': {'entry_point': 'Compromised Accounts'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The campaign highlights the growing sophistication of '
'phishing attacks, including the abuse of trusted '
'platforms, real-time data exfiltration, and the use of '
'valid SSL certificates to enhance legitimacy. Defenders '
'must adapt to evolving social engineering tactics and the '
'exploitation of legitimate services.',
'motivation': ['Financial Gain'],
'post_incident_analysis': {'root_causes': ['Exploitation of Trusted Platforms',
'Stolen Credentials',
'Social Engineering']},
'recommendations': ['Enhance email security to detect and block phishing '
'attempts leveraging trusted platforms.',
'Implement multi-factor authentication (MFA) to reduce '
'reliance on OTPs.',
'Monitor for unauthorized transactions in real-time.',
'Educate customers on recognizing phishing attempts and '
'verifying the authenticity of banking communications.',
'Collaborate with domain registrars and certificate '
'authorities to detect and revoke abused domains and '
'certificates.'],
'title': 'Sophisticated Phishing Campaign Targets Philippine Bank Users via '
'Trusted Platforms',
'type': 'Phishing',
'vulnerability_exploited': ['Social Engineering',
'Stolen Credentials',
'Abuse of Legitimate Services']}