Phishing Attacks Spike with Misuse of Webflow and Other Legitimate Tools

Cybersecurity researchers have recently identified a significant increase in phishing attacks utilizing the website builder Webflow, as threat actors exploit legitimate platforms like Cloudflare and Microsoft Sway. These platforms offer attackers a level of credibility, making phishing attempts harder to detect and easier to execute.

Understanding the Vulnerability

The latest phishing campaigns are targeting sensitive information, including login credentials and crypto wallet seed phrases. Among the platforms targeted are popular crypto wallets such as Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, along with company webmail logins and Microsoft 365. According to research by Netskope Threat Labs, phishing pages crafted using Webflow increased tenfold between April and September 2024, impacting over 120 organizations worldwide, particularly in North America and Asia.

Webflow has become a prime tool for attackers because it allows the creation of custom subdomains at no additional cost. This is a key advantage over Cloudflare and Microsoft Sway, which generate URLs with randomized alphanumeric strings, making them more suspicious to discerning users. Attackers have been creating phishing pages that either directly gather login information or redirect victims to additional malicious sites.

Common Tactics in Use

Phishing pages developed in Webflow mimic the legitimate login pages of their targets, tricking users into entering credentials. Other methods include using screenshots of legitimate crypto wallet homepages that redirect users to scam sites. If users enter their seed phrases or other sensitive details, the attackers can take control of the victim's cryptocurrency wallet and drain its funds. In some cases, users are shown error messages and directed to engage with fake support chat services to further deceive them.

Who Is at Risk?

These phishing campaigns are primarily targeting individuals and organizations in industries with sensitive information, particularly in the financial services, technology, and cryptocurrency sectors. Organizations in the United States, Canada, the United Kingdom, and parts of Europe are most frequently affected, with malspam campaigns exploiting the phishing tactics to gain footholds in larger networks.

The risk extends to anyone using major crypto wallets, webmail systems, or Microsoft 365, making both individual users and businesses vulnerable. Additionally, the techniques used can bypass traditional security measures, so users relying solely on automated detection may be at higher risk of falling victim to these attacks.

How to Protect Yourself

1. Access Sites Directly
   Always type the URL of critical services (e.g., banking portals, webmail, crypto wallets) directly into the browser. Avoid clicking on links in emails, ads, or pop-ups, as these can redirect to phishing sites designed to look legitimate.

2. Enable Two-Factor Authentication (2FA)
   Where available, enable 2FA on accounts. This adds an extra layer of security even if credentials are compromised. For crypto wallets, hardware-based 2FA is preferable as it provides higher security than app-based methods.

3. Use Security Software and Monitor Alerts
   Enable advanced security software capable of detecting suspicious behavior and phishing attempts. Be mindful of browser alerts about suspicious sites, and consider tools like Safe Browsing, though attackers are increasingly using anti-bot services to circumvent detection.

4. Be Cautious of Unusual Requests
   If you are directed to a support chat or customer service that requests seed phrases or other sensitive details, stop immediately. Legitimate services will never ask for private keys, passwords, or full recovery phrases over chat.

5. Educate and Train Teams
   Companies should invest in ongoing cybersecurity training to help employees recognize phishing attempts. Awareness and quick identification can drastically reduce the chance of falling prey to these attacks.

Recent Trends and Threat Developments

Attackers are now using anti-bot tools like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot to keep security crawlers from detecting phishing sites, extending the lifespan of malicious links. This helps them stay undetected longer, increasing the chance that phishing attempts will reach intended targets.

Additionally, ongoing malspam and malvertising campaigns are spreading a new, evolving malware called WARMCOOKIE (also known as BadSpace). WARMCOOKIE can deploy secondary payloads like CSharp-Streamer-RAT and Cobalt Strike. These tools allow attackers to perform long-term operations on compromised systems, making it easier for them to control and manipulate user environments remotely.

What to Expect

As phishing campaigns grow more sophisticated, cybersecurity researchers expect attackers to refine their tactics. The use of legitimate platforms such as Webflow, Microsoft Sway, and Cloudflare has proven advantageous for attackers, and anti-bot services are increasing the persistence of phishing sites. It’s also likely that the tactics will continue to expand to more industries and potentially become more personalized through targeted social engineering.

Conclusion

The surge in phishing activities, combined with the use of legitimate website tools, highlights the growing ingenuity of cybercriminals. By understanding these new phishing methods and practicing vigilant online behavior, users can better protect themselves from falling victim to these scams. Organizations are encouraged to bolster their cybersecurity defenses and educate employees on identifying and reporting suspicious activity. As phishing methods evolve, awareness and proactive measures remain the best defenses.