Webflow sites used to trick victims into sharing login details

Webflow is growing increasingly popular among cybercriminals phishing for cryptocurrency wallet information, login credentials, and more, experts have warned.

A report from Netskope Threat Labs claims that between April and September 2024, it observed a ten-fold increase in traffic to phishing pages created in Webflow.

Webflow is a website builder design and development platform that allows users to visually build responsive websites without coding, while also offering hosting and content management features.

Smash and grab

The goal of the campaign is, first and foremost, to obtain cryptocurrency wallet information. By tricking victims into sharing seed phrases and login credentials for Coinbase, MetaMask, Phantom, Trezor, or Bitbuy, the crooks can gain full control over the wallets and drain them of any funds, or NFTs.

Besides crypto wallets, the miscreants were also hunting for credentials for multiple company webmail platforms, as well as Microsoft 365 login credentials.

In total, more than 120 organizations worldwide have been targeted, with the majority being located in North America, and Asia. Usually, the crooks were going for organizations in financial services, banking, and technology.

“Attackers abuse Webflow in two ways,” Netskope’s researchers claim. “Creating standalone phishing pages and using Webflow pages to redirect victims to phishing pages hosted elsewhere.” The former is more stealth-oriented, since it contains no phishing lines of code, and thus cannot be spotted by usual security scanners. The latter, on the other hand, provides more flexibility and allows for more complex attacks.

Webflow also provided custom publicly accessible subdomains without additional cost, which the crooks happily used.

What makes the phishing sites easy to spot is the way they mimic legitimate pages. Crooks would simply grab a full-screen screenshot of the legitimate app’s homepage, and use that on their own site. Some pages simply redirected people from this image to the actual phishing page hosted elsewhere.

Therefore, if you see that a website’s homepage is not interactive at all, and behaves as a single image, be careful – you’re probably being targeted.

Official Lego website hacked to promote crypto scamHere’s a list of the best firewalls todayThese are the best endpoint protection tools right now

Related posts

Microsoft reveals major Chinese botnet is attacking users across the world

ChatGPT-5 won’t be coming in 2025, according to Sam Altman – but superintelligence is ‘achievable’ with today’s hardware

The future of PC gaming will be AI-driven – AMD confirms machine learning FSR 4 for 2025, launching in Call of Duty: Black Ops 6

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More